courier imap keys and self-signed ca signing

Sun Dec 19 10:50:26 PST 2004

Actually, it was recently brought up on the OpenSSL users list, and
mentioned that *newer* clients would be fine with a cert for
*.foobar.com in place of imap.foobar.com or smtp.foobar.com.

I wrote SSL functionality into a client app 4 years ago (OpenSSL
0.9.?) that handled wildcard certs without a problem.  I never got
back around to checking for multiple domain certs, but it should work.

The link I provided describes how to tweak the OpenSSL config file to
allow alternative names as well, to include, for instance, *.snafu.com
on the same cert.  Again, *newer* clients should be fine with this,
but if you want to support old school browsers, stick with single
domain certs.

Lou

On 12/19/04 07:11 PM, Daniel S. Haischt sat at the `puter and typed:
> That's true if each of his servers will have the
> same common name (CN). But if one server resides
> for example on imap.foobar.com and the other
> at smtp.foobar.com, he has to use different
> certificate.
> 
> Mozilla/Netscape browsers are quite picky if it
> comes to wrong CN attributes.
> 
> BTW Dave - If you did install Apache together with
> mod_ssl the mod_ssl manual could be found at:
> 
>   -> http://localhost/manual/ssl/
> 
> Louis LeBlanc schrieb:
> > On 12/19/04 12:45 PM, dave sat at the `puter and typed:
> > 
> >>Hello,
> >>    I've got a 5.3 box that i'm using as a self-signing ca. I want to get
> >>keys going for all the various protocols i use, http, which i've done, pop
> >>and imap, and smtp. It's these last three i'm having the headache. I'm using
> >>postfix as my MTA and courier imap for pop/imap, i know that the latter has
> >>a program to generate keys but not csr's, i'm not sure how to get keys from
> >>courier and/or postfix to the ca for signing. I'm probably missing somehing
> >>very basic, and would appreciate any help.
> >>Thanks.
> >>Dave.
> > 
> > 
> > 
> > Why would you want to use multiple methods?  Just create a single self
> > signed CA from OpenSSL and use it to sign a single cert for all your
> > servers.  You could also just use a self signed cert for all of them.
> > 
> > Check out this info:
> > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
> > 
> > That will tell you about using a single cert for multiple domains if
> > that is what you need.
> > 
> > Hope this helps.
> > 
> > Lou
> 
> -- 
> Mit freundlichen Gruessen / With kind regards
> 
> Daniel S. Haischt   | phone:    +49 -7032-992909
> Grabenstrasse 11    |           +49 -700-DHAISCHT
>                      | fax:      +49 -7032-992910
> D-71083 Herrenberg  | fax2mail: +49 -7032-7999738
> GERMANY             | cell:     +49 -172-7668936
> 
> SIP:   sip:haischt at daniel-s-haischt.biz:5060
> email: me at daniel.stefan.haischt.name
> web:   http://www.daniel.stefan.haischt.name/
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 

-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

A Pope has a Water Cannon.                               It is a Water Cannon.
He fires Holy-Water from it.                        It is a Holy-Water Cannon.
He Blesses it.                                 It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it.          It is a Wholly Holy Holy-Water Cannon.
He has it pierced.                It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official.       It is a Canon Holey Wholly Holy Holy-Water Cannon.
Batman and Robin arrive.                                       He shoots them.