courier imap keys and self-signed ca signing
FreeBSD at keyslapper.org
Sun Dec 19 10:50:26 PST 2004
Actually, it was recently brought up on the OpenSSL users list, and
mentioned that *newer* clients would be fine with a cert for
*.foobar.com in place of imap.foobar.com or smtp.foobar.com.
I wrote SSL functionality into a client app 4 years ago (OpenSSL
0.9.?) that handled wildcard certs without a problem. I never got
back around to checking for multiple domain certs, but it should work.
The link I provided describes how to tweak the OpenSSL config file to
allow alternative names as well, to include, for instance, *.snafu.com
on the same cert. Again, *newer* clients should be fine with this,
but if you want to support old school browsers, stick with single
On 12/19/04 07:11 PM, Daniel S. Haischt sat at the `puter and typed:
> That's true if each of his servers will have the
> same common name (CN). But if one server resides
> for example on imap.foobar.com and the other
> at smtp.foobar.com, he has to use different
> Mozilla/Netscape browsers are quite picky if it
> comes to wrong CN attributes.
> BTW Dave - If you did install Apache together with
> mod_ssl the mod_ssl manual could be found at:
> -> http://localhost/manual/ssl/
> Louis LeBlanc schrieb:
> > On 12/19/04 12:45 PM, dave sat at the `puter and typed:
> >> I've got a 5.3 box that i'm using as a self-signing ca. I want to get
> >>keys going for all the various protocols i use, http, which i've done, pop
> >>and imap, and smtp. It's these last three i'm having the headache. I'm using
> >>postfix as my MTA and courier imap for pop/imap, i know that the latter has
> >>a program to generate keys but not csr's, i'm not sure how to get keys from
> >>courier and/or postfix to the ca for signing. I'm probably missing somehing
> >>very basic, and would appreciate any help.
> > Why would you want to use multiple methods? Just create a single self
> > signed CA from OpenSSL and use it to sign a single cert for all your
> > servers. You could also just use a self signed cert for all of them.
> > Check out this info:
> > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
> > That will tell you about using a single cert for multiple domains if
> > that is what you need.
> > Hope this helps.
> > Lou
> Mit freundlichen Gruessen / With kind regards
> Daniel S. Haischt | phone: +49 -7032-992909
> Grabenstrasse 11 | +49 -700-DHAISCHT
> | fax: +49 -7032-992910
> D-71083 Herrenberg | fax2mail: +49 -7032-7999738
> GERMANY | cell: +49 -172-7668936
> SIP: sip:haischt at daniel-s-haischt.biz:5060
> email: me at daniel.stefan.haischt.name
> web: http://www.daniel.stefan.haischt.name/
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
Louis LeBlanc FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
A Pope has a Water Cannon. It is a Water Cannon.
He fires Holy-Water from it. It is a Holy-Water Cannon.
He Blesses it. It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon.
He has it pierced. It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official. It is a Canon Holey Wholly Holy Holy-Water Cannon.
Batman and Robin arrive. He shoots them.
More information about the freebsd-questions