[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setting up tls/ssl over qpopper
- To: Ishai Parasol <ishai-iglu(at-nospam)parasol.org.il>
- Subject: Re: setting up tls/ssl over qpopper
- From: Ilya Konstantinov <linux-il(at-nospam)future.shiny.co.il>
- Date: Fri, 28 Sep 2001 16:47:47 +0200
- Cc: Linux - IL Mailing List <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <001701c147eb$97abf440$0201a8c0@parasol>
- References: <001701c147eb$97abf440$0201a8c0@parasol>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mutt/1.3.19i
On Fri, Sep 28, 2001 at 09:02:52AM +0200, Ishai Parasol wrote:
> Hi
>
> I have installed QPopper4.0.3 with tls/ssl enabled and I'm trying to make
> the tls/ssl keys,
> following the instructions in the user manual. My problem is that I don't
> understand what to do next after creating the cert.pem file. what I did was:
> openssl req -new -nodes -out -req.pem - keyout /etc/mail/certs/cert.pem
>
> But here the manual tells me to send the certificate signing request
> (req.pem) to my certificate authority signing and I should get back a signed
> request.
> If one of you guys has any expereience with this subject I'll be really glad
> to get an
> explanation what excatly should I do here, where to send what ?
You have two options:
1. If you plan to have this server offering services to the broad
population, you'd want to order a certificate from one of the CAs (e.g.
Thawte). The CA will request your official papers and certify that
you're a real entity (person or company). The verification process and
the certificate will, of course, cost you money.
The technical procedure is:
a. Generate a certificate request and private key with 'openssl req'.
b. Send the req.pem to the CA and wait for them to verify your
documents and send you back a signed certificate.
2. If you plan to have this server offering services to yourself or
just people in your organization, friends etc. you can generate the
certificate yourself. The SSL-supporting mailers will present a warning
upon connecting (since it's not an official CA-signed certificate),
but if the users trust you, they can tell the mailer to explicitly
trust your certificate.
The technical procedure is:
a. Generate a certificate with 'openssl req':
openssl req -new -x509 -nodes -days 365 -newkey rsa:1024 -keyout 'key' -out 'certificate'
(*) -nodes specifies the private key won't be encrypted and won't
require you to input a password to use it. It might be the best option
for you if you want QPopper to be able to start up unattended (instead
of waiting for someone to type a password on the server's console.
(**) -x509 allows you to skip the certificate request generation step.
The resulting certificate would be "self-signed", which should be
enough for your needs.
(***) -days 365 indicate how many days from today the certificate will
be valid.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il