[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setting up tls/ssl over qpopper



>
>
>2. If you plan to have this server offering services to yourself or
>just people in your organization, friends etc. you can generate the
>certificate yourself. The SSL-supporting mailers will present a warning
>upon connecting (since it's not an official CA-signed certificate),
>but if the users trust you, they can tell the mailer to explicitly
>trust your certificate.
>
>The technical procedure is:
>a. Generate a certificate with 'openssl req':
>
>openssl req -new -x509 -nodes -days 365 -newkey rsa:1024 -keyout 'key' -out 'certificate'
>
>(*) -nodes specifies the private key won't be encrypted and won't
>require you to input a password to use it. It might be the best option
>for you if you want QPopper to be able to start up unattended (instead
>of waiting for someone to type a password on the server's console.
>(**) -x509 allows you to skip the certificate request generation step.
>The resulting certificate would be "self-signed", which should be
>enough for your needs.
>(***) -days 365 indicate how many days from today the certificate will
>be valid.
>
There is a caveat with this approach. When the certificate expires, you 
will have some problems renewing it. Here is what will happen:
A. The certificate will expire (in a year, if using Ilya's example).
B. If you just want a new certificate, you will probably repeat Ilya's 
procedure. The problem is that the private key changes, and all the mail 
clients will complain (i.e. - they had a certificate, and now they have 
a new one for the same site - something went wrong).
C. Alternatively (and it took me quite a bit of digging to find out how, 
and I have, alas, forgotten), you can regenerate a new certificate with 
the exact same parameters (including private key). Problem here is that 
openssl, since this is a root certificate (i.e. - a certificate used for 
a CA), will not give it a serial number. As a result, the mail clients 
will complain that the certificate expired (they will compare serial 
numbers against their stored certificate, and once they will see it's 
the same, will not reread the certificate to find out the new expiration 
date). To solve that problem you will have to erase, and then relearn 
the certificate, again losing the benefit of having one.

In order to solve this problem there are two possible solutions:
1. Find a way to cause openssl to generate a root certificate with a 
serial number other than 0.
2. Generate a root certificate, teach that to everyone AS A CA, and then 
use that to sign the certificate request generated in the original 
question. A bit cumbersome, but it's the "right" way to do it.

        Shachar.



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il