Date: Sun, 19 Dec 2004 21:49:56 +0000 From: Dick Davies <rasputnik@hellooperator.net> To: freebsd-questions@FreeBSD.org Subject: Re: courier imap keys and self-signed ca signing Message-ID: <20041219214955.GA7774@lb.tenfour> In-Reply-To: <20041219180247.GA33770@keyslapper.org> References: <000d01c4e5f2$7add5b30$0400a8c0@satellite> <20041219180247.GA33770@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Louis LeBlanc <FreeBSD@keyslapper.org> [1204 18:04]: > On 12/19/04 12:45 PM, dave sat at the `puter and typed: > > Hello, > > I've got a 5.3 box that i'm using as a self-signing ca. I want to get > > keys going for all the various protocols i use, http, which i've done, pop > > and imap, and smtp. It's these last three i'm having the headache. I'm using > > postfix as my MTA and courier imap for pop/imap, i know that the latter has > > a program to generate keys but not csr's, i'm not sure how to get keys from > > courier and/or postfix to the ca for signing. I'm probably missing somehing > > very basic, and would appreciate any help. Dave, why not just generate the csrs on the CA, then scp them to the individual servers? If you have a CA, just do: # generate a request # (do a find for CA.pl, it should be under /etc/ somewhere.) ./CA.pl -newreq-nodes # then sign it ./CA.pl -sign That produces newcert.pem Then: newreq.pem = the server key newcert.pem = the server certificate rename the two files to something memorable mv newreq.pem imap.domain.key mv newcert.pem imap.domain.cert and scp them to whereever they should live. > Why would you want to use multiple methods? Just create a single self > signed CA from OpenSSL and use it to sign a single cert for all your > servers. You could also just use a self signed cert for all of them. Unless I read that wrong, you're suggesting having all servers (imap/https/database/etc) on a host share a single server cert. Don't you think thats a bit iffy security-wise? Then I have to have a server key readable by all the servers (many of which run as different users), and if one is taken they are all impersonatable. > Check out this info: > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ > > That will tell you about using a single cert for multiple domains if > that is what you need. Useful link. I've used that for situations where I have two or more hosts in a load balance group, where I set the subjectAltName to ldap.domain, and the CNs are ldap1...n.domain. Then clients that aren't ldap-uri (which allows multiple servers to be listed) aware can just use a round-robin DNS entry of ldap.domain and still see that the server is what they expected. I'm not sure http browsers (for example) are aware of that field, however. -- 'You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041219214955.GA7774>