I am getting a little frustrated by the following. I am trying to access imaps service through a web browser. I have constructed a imap.pem certificate file which works well when I do accesses to the server from mutt. However, when I try access to imaps through a web server using a https:// web address the results are baffling. First the certificate the web browser returns from the server is not the imap certificate. That is not that surprising. The certificate returned is generic without any of the usual field filled with meaningful content. The statement is given that this certificate (represented by a file I cannot find) belongs to localhost@localdomain rather than out server (which is true). Then I get the strange error statement that: new.host.name cannot be found. At this point we can go no further.
Can someone hint how one creates this needed certificate and where the file resides and under what name. I saw there was a Makefile that is supposed to do this but all I managed to do using that Makefile is secure the httpd server so that it could not be restarted without entering a passphrase.
Anyone have information on this they are willing to share?
akonstam@trinity.edu wrote:
However, when I try access to imaps through a web server using a https:// web address the results are baffling. Anyone have information on this they are willing to share?
/etc/httpd/conf.d/ssl.conf will tell you where the certificate needs to be.
To generate a new one, try this:
cd /etc/httpd/conf/ make server.crt
One of the options you'll enter is the hostname of the machine the cert is for.
Also ... if you enter a password when generating the key file, you'll need to type that password in every time you restart apache (ie: remove apache's logs from logrotate if you have it installed, otherwise Apache will shut down every Sunday night), and you'll need to modify the ssl.conf file to point at the new .crt and .key files you just made.
Welcome to SSL and secure web browsing.
-id
On Thu, Nov 18, 2004 at 05:11:26PM -0800, ian douglas wrote:
akonstam@trinity.edu wrote:
However, when I try access to imaps through a web server using a https:// web address the results are baffling. Anyone have information on this they are willing to share?
/etc/httpd/conf.d/ssl.conf will tell you where the certificate needs to be.
First I appreciate people trying to help me. Looking in the ssl.conf file told me something I did not know, that https uses port 443 not port 993 for imaps. I also knew where the certificate files should be but they were not working for me so I hoped to get other ideas.
To generate a new one, try this:
cd /etc/httpd/conf/ make server.crt
A minor point to run make server.crt you must be in directory: /etc/httpd/conf/ssl.crt
One of the options you'll enter is the hostname of the machine the cert is for.
Also ... if you enter a password when generating the key file, you'll need to type that password in every time you restart apache (ie: remove apache's logs from logrotate if you have it installed, otherwise Apache will shut down every Sunday night), and you'll need to modify the ssl.conf file to point at the new .crt and .key files you just made.
Welcome to SSL and secure web browsing.
-id
I also had the annoying experience when I entered all the keys I had to enter a passphrase before starting or restarting httpd. OK, but all this does not work. I configure the server essentially as indicated above and when I access the server using https I get back a generic certificate that has no relationship to the one I configured. And login access is not presented to me even when I say I will accept the faulty certificate. And so my question remains. How does one do this correctly?
Hi there,
Can anyone walk me through, or point me to information on how to change the certificate that cyrus-imapd is using for ssl? My mail client is giving me the message "the local certificate belongs to "localhost.localdomain" when I connect. I would like to make a new certificate with the correct hostname in it.
I am guessing I need to revoke the old certifcate first, then create the new one. I think I figured out how to make the new one, but I'm not entirely certain of the correct way to revoke the old one. Has anyone else done this before?
Thanks,
...Paul
Paul Bradshaw wrote:
Can anyone walk me through, or point me to information on how to change the certificate that cyrus-imapd is using for ssl? My mail client is giving me the message "the local certificate belongs to "localhost.localdomain" when I connect. I would like to make a new certificate with the correct hostname in it.
You can either generate new key, or reuse old key. Before doing any of the bellow, you might want to check and edit stock openssl.cnf file (in /usr/share/ssl). In there, you can specify more IP addresses and host names that certificate should be valid for (so you can make it valid for localhost, hostname, 127.0.0.1, 1.2.3.4, and so on).
If you want to generate new key, you would do something like:
openssl genrsa -des3 -out key.pem 2048
To generate self signed certificate, do something like this:
openssl openssl req -new -x509 -key key.pem -out cert.pem
If you want to generate certificate request and send it to CA (that will than issue you a certificate), ommit -x509 option.
I am guessing I need to revoke the old certifcate first, then create the new one. I think I figured out how to make the new one, but I'm not entirely certain of the correct way to revoke the old one. Has anyone else done this before?
Unless you have a way to publish your revocation list somewhere, somehow, there's no point in revoking the old certificate.
Thanks Aleksandsar,
I wised up and found the documentation. Created the certificate. Everything's fine now. Thanks for responding. You got me on the right track.
...Paul
Aleksandar Milivojevic wrote:
Paul Bradshaw wrote:
Can anyone walk me through, or point me to information on how to change the certificate that cyrus-imapd is using for ssl? My mail client is giving me the message "the local certificate belongs to "localhost.localdomain" when I connect. I would like to make a new certificate with the correct hostname in it.
You can either generate new key, or reuse old key. Before doing any of the bellow, you might want to check and edit stock openssl.cnf file (in /usr/share/ssl). In there, you can specify more IP addresses and host names that certificate should be valid for (so you can make it valid for localhost, hostname, 127.0.0.1, 1.2.3.4, and so on).
If you want to generate new key, you would do something like:
openssl genrsa -des3 -out key.pem 2048
To generate self signed certificate, do something like this:
openssl openssl req -new -x509 -key key.pem -out cert.pem
If you want to generate certificate request and send it to CA (that will than issue you a certificate), ommit -x509 option.
I am guessing I need to revoke the old certifcate first, then create the new one. I think I figured out how to make the new one, but I'm not entirely certain of the correct way to revoke the old one. Has anyone else done this before?
Unless you have a way to publish your revocation list somewhere, somehow, there's no point in revoking the old certificate.
Paul Bradshaw writes:
Thanks Aleksandsar,
I wised up and found the documentation. Created the certificate. Everything's fine now. Thanks for responding. You got me on the right track.
Well, unless you paid Verisign, or some other certificate authority, a couple of hundred bucks to sign your certificate, then technically speaking everything is definitely NOT fine.
On Tue, 30 Nov 2004 18:45:12 -0500, you wrote:
Well, unless you paid Verisign, or some other certificate authority, a couple of hundred bucks to sign your certificate, then technically speaking everything is definitely NOT fine.
In case anyone's interested, Comodo sells $50 root-signed certificates. They'll even sign a 30 day cert for free just to get you up and running "until the purchase order clears".
Sorry if that sounds like a commercial, it's just that I finally found someplace that's cheaper than a couple of hundred bucks.
Frank Pineau wrote:
Sorry if that sounds like a commercial, it's just that I finally found someplace that's cheaper than a couple of hundred bucks.
There's several places that are cheaper than "couple of hundred bucks". Verisign is not the only one selling certificate for a long time. Some of those places will sell you wildcard certificates, and some will sell you certificates in bulks of 5 or 10 dirt cheap.
Anyhow, if you are home user, you should ask yourself do you really need certificate sign by CA whose root certificate is shipped with browsers. For most home users, self signed certificate (or generating your own root certificate and signing with it) will work quite well.
"Official" root CA signed certificates, the way they are currently being issued, the way identity of buyer is checked, and the way they are currently being used, are usefull only for not annoying users with pop-up warning windows. It is not that complicated to buy forged certificate (ask Verisign and Microsoft, they still haven't figured out who was the guy Verisign sold certificate in MS name some time ago). If that can happen to big name such as Microsoft, somebody buying certificate in some home user's name would probably go quite unnoticed. This is nothing suprising. CAs are commercial entities, so they are after generating large volumes of profit. Strict identity checking would severely slow down the process, customers would go to somebody else who is "faster" (because that somebody has more loose identity checks), so everybody is gradually lowering the bar (and no, credit card is not sufficient identity check -- it only links couple of numbers that are printed on the card to person who will be charged by the bank, it doesn't say a thing about identity of person who typed those numbers into some kind of web form, or about authority of that person to use the card).
Am Fr, den 19.11.2004 schrieb akonstam@trinity.edu um 2:03:
Can someone hint how one creates this needed certificate and where the file resides and under what name. I saw there was a Makefile that is supposed to do this but all I managed to do using that Makefile is secure the httpd server so that it could not be restarted without entering a passphrase.
Aaron Konstam
There are different possibilities how you can create (and manage) such certificates. In any way the base tool use OpenSSL, which you can use directly. http://sial.org/howto/openssl/ has some good papers. Some days old documentation by Red Hat on http://www.redhat.com/support/resources/faqs/RH-apache-FAQ/c163.html. The Fedora OpenSSL comes with the script /usr/share/ssl/misc/CA.
One very basic thing is that the Common Name (CN) of the server service cert has to fit it's hostname. In some cases you would only get a warning if they differ, in other situations / with other clients the services is deferred.
Speaking about Apache on Fedora the default location for the SSL server hostcert is /etc/httpd/conf/ssl.crt/, for the hostkey it is /etc/httpd/conf/ssl.key/. The location for the dovecot cert is /usr/share/ssl/certs/. Don't know from head whether this location is hard coded during compilation or configurable with dovecot.conf. For the obsolete uw-imapd it was hard coded.
Hope it helps a bit.
Alexander
-
akonstam@trinity.edu -
Aleksandar Milivojevic -
Alexander Dalloz -
Frank Pineau -
ian douglas -
Paul Bradshaw -
Sam Varshavchik -
William Hooper