courier imap keys and self-signed ca signing
Dick Davies
rasputnik at hellooperator.net
Sun Dec 19 13:49:57 PST 2004
* Louis LeBlanc <FreeBSD at keyslapper.org> [1204 18:04]:
> On 12/19/04 12:45 PM, dave sat at the `puter and typed:
> > Hello,
> > I've got a 5.3 box that i'm using as a self-signing ca. I want to get
> > keys going for all the various protocols i use, http, which i've done, pop
> > and imap, and smtp. It's these last three i'm having the headache. I'm using
> > postfix as my MTA and courier imap for pop/imap, i know that the latter has
> > a program to generate keys but not csr's, i'm not sure how to get keys from
> > courier and/or postfix to the ca for signing. I'm probably missing somehing
> > very basic, and would appreciate any help.
Dave, why not just generate the csrs on the CA, then scp them to the individual
servers? If you have a CA, just do:
# generate a request
# (do a find for CA.pl, it should be under /etc/ somewhere.)
./CA.pl -newreq-nodes
# then sign it
./CA.pl -sign
That produces newcert.pem Then:
newreq.pem = the server key
newcert.pem = the server certificate
rename the two files to something memorable
mv newreq.pem imap.domain.key
mv newcert.pem imap.domain.cert
and scp them to whereever they should live.
> Why would you want to use multiple methods? Just create a single self
> signed CA from OpenSSL and use it to sign a single cert for all your
> servers. You could also just use a self signed cert for all of them.
Unless I read that wrong, you're suggesting having all servers
(imap/https/database/etc) on a host share a single server cert.
Don't you think thats a bit iffy security-wise?
Then I have to have a server key readable by all the servers (many of which run
as different users), and if one is taken they are all impersonatable.
> Check out this info:
> http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
>
> That will tell you about using a single cert for multiple domains if
> that is what you need.
Useful link.
I've used that for situations where I have two or more hosts in a load balance
group, where I set the subjectAltName to ldap.domain, and the CNs are ldap1...n.domain.
Then clients that aren't ldap-uri (which allows multiple servers to be listed) aware
can just use a round-robin DNS entry of ldap.domain and still see that the server is
what they expected.
I'm not sure http browsers (for example) are aware of that field, however.
--
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns
More information about the freebsd-questions
mailing list