Date: Sun, 19 Dec 2004 13:50:11 -0500 From: Louis LeBlanc <FreeBSD@keyslapper.org> To: freebsd-questions@FreeBSD.org Subject: Re: courier imap keys and self-signed ca signing Message-ID: <20041219185011.GA36223@keyslapper.org> In-Reply-To: <41C5C460.70800@daniel.stefan.haischt.name> References: <000d01c4e5f2$7add5b30$0400a8c0@satellite> <20041219180247.GA33770@keyslapper.org> <41C5C460.70800@daniel.stefan.haischt.name>
next in thread | previous in thread | raw e-mail | index | archive | help
Actually, it was recently brought up on the OpenSSL users list, and mentioned that *newer* clients would be fine with a cert for *.foobar.com in place of imap.foobar.com or smtp.foobar.com. I wrote SSL functionality into a client app 4 years ago (OpenSSL 0.9.?) that handled wildcard certs without a problem. I never got back around to checking for multiple domain certs, but it should work. The link I provided describes how to tweak the OpenSSL config file to allow alternative names as well, to include, for instance, *.snafu.com on the same cert. Again, *newer* clients should be fine with this, but if you want to support old school browsers, stick with single domain certs. Lou On 12/19/04 07:11 PM, Daniel S. Haischt sat at the `puter and typed: > That's true if each of his servers will have the > same common name (CN). But if one server resides > for example on imap.foobar.com and the other > at smtp.foobar.com, he has to use different > certificate. > > Mozilla/Netscape browsers are quite picky if it > comes to wrong CN attributes. > > BTW Dave - If you did install Apache together with > mod_ssl the mod_ssl manual could be found at: > > -> http://localhost/manual/ssl/ > > Louis LeBlanc schrieb: > > On 12/19/04 12:45 PM, dave sat at the `puter and typed: > > > >>Hello, > >> I've got a 5.3 box that i'm using as a self-signing ca. I want to get > >>keys going for all the various protocols i use, http, which i've done, pop > >>and imap, and smtp. It's these last three i'm having the headache. I'm using > >>postfix as my MTA and courier imap for pop/imap, i know that the latter has > >>a program to generate keys but not csr's, i'm not sure how to get keys from > >>courier and/or postfix to the ca for signing. I'm probably missing somehing > >>very basic, and would appreciate any help. > >>Thanks. > >>Dave. > > > > > > > > Why would you want to use multiple methods? Just create a single self > > signed CA from OpenSSL and use it to sign a single cert for all your > > servers. You could also just use a self signed cert for all of them. > > > > Check out this info: > > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ > > > > That will tell you about using a single cert for multiple domains if > > that is what you need. > > > > Hope this helps. > > > > Lou > > -- > Mit freundlichen Gruessen / With kind regards > > Daniel S. Haischt | phone: +49 -7032-992909 > Grabenstrasse 11 | +49 -700-DHAISCHT > | fax: +49 -7032-992910 > D-71083 Herrenberg | fax2mail: +49 -7032-7999738 > GERMANY | cell: +49 -172-7668936 > > SIP: sip:haischt@daniel-s-haischt.biz:5060 > email: me@daniel.stefan.haischt.name > web: http://www.daniel.stefan.haischt.name/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ A Pope has a Water Cannon. It is a Water Cannon. He fires Holy-Water from it. It is a Holy-Water Cannon. He Blesses it. It is a Holy Holy-Water Cannon. He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon. He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon. He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon. Batman and Robin arrive. He shoots them.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041219185011.GA36223>