7:03 p.m.
I am getting a little frustrated by the following. I am trying to
access imaps service through a web browser. I have constructed a
imap.pem certificate file which works well when I do accesses to the
server from mutt.
However, when I try access to imaps through a web server using a
https:// web address the results are baffling.
First the certificate the web browser returns from the server is not
the imap certificate. That is not that surprising. The certificate
returned is generic without any of the usual field filled with
meaningful content. The statement is given that this certificate
(represented by a file I cannot find) belongs to
localhost@localdomain rather than out server (which is true).
Then I get the strange error statement that:
new.host.name cannot be found.
At this point we can go no further.
Can someone hint how one creates this needed certificate and where the
file resides and under what name. I saw there was a Makefile that is
supposed to do this but all I managed to do using that Makefile is
secure the httpd server so that it could not be restarted without
entering a passphrase.
Anyone have information on this they are willing to share?
--
=======================================================================
"Irrigation of the land with seawater desalinated by fusion power is ancient.
It's called 'rain'."
-- Michael McClary, in alt.fusion
-------------------------------------------
Aaron Konstam
Computer Science
Trinity University
One Trinity Place.
San Antonio, TX 78212-7200
telephone: (210)-999-7484
email:akonstam@trinity.edu
7:11 p.m.
akonstam(a)trinity.edu wrote:
However, when I try access to imaps through a web server using a
https:// web address the results are baffling.
Anyone have information on this they are willing to share?
/etc/httpd/conf.d/ssl.conf will tell you where the certificate needs to be.
To generate a new one, try this:
cd /etc/httpd/conf/
make server.crt
One of the options you'll enter is the hostname of the machine the cert
is for.
Also ... if you enter a password when generating the key file, you'll
need to type that password in every time you restart apache (ie: remove
apache's logs from logrotate if you have it installed, otherwise Apache
will shut down every Sunday night), and you'll need to modify the
ssl.conf file to point at the new .crt and .key files you just made.
Welcome to SSL and secure web browsing.
-id
9:54 a.m.
On Thu, Nov 18, 2004 at 05:11:26PM -0800, ian douglas wrote:
akonstam(a)trinity.edu wrote:
>However, when I try access to imaps through a web server using a
>https:// web address the results are baffling.
>Anyone have information on this they are willing to share?
/etc/httpd/conf.d/ssl.conf will tell you where the certificate needs to be.
First I
appreciate people trying to help me. Looking in the ssl.conf file told
me something I did not know, that https uses port 443 not port 993 for imaps.
I also knew where the certificate files should be but they were not working
for me so I hoped to get other ideas.
To generate a new one, try this:
cd /etc/httpd/conf/
make server.crt
A minor point to run make server.crt
you must be in directory: /etc/httpd/conf/ssl.crt
One of the options you'll enter is the hostname of the machine the cert
is for.
Also ... if you enter a password when generating the key file, you'll
need to type that password in every time you restart apache (ie: remove
apache's logs from logrotate if you have it installed, otherwise Apache
will shut down every Sunday night), and you'll need to modify the
ssl.conf file to point at the new .crt and .key files you just made.
Welcome to SSL and secure web browsing.
-id
I also had the annoying experience when I entered all the keys I had to enter
a
passphrase before starting or restarting httpd.
OK, but all this does not work. I configure the server essentially as
indicated above and when I access the server using https I get back a generic
certificate that has no relationship to the one I configured. And login access
is not presented to me even when I say I will accept the faulty certificate.
And so my question remains. How does one do this correctly?
--
=======================================================================
We've tried each spinning space mote
And reckoned its true worth:
Take us back again to the homes of men
On the cool, green hills of Earth.
The arching sky is calling
Spacemen back to their trade.
All hands! Standby! Free falling!
And the lights below us fade.
Out ride the sons of Terra,
Far drives the thundering jet,
Up leaps the race of Earthmen,
Out, far, and onward yet--
We pray for one last landing
On the globe that gave us birth;
Let us rest our eyes on the fleecy skies
And the cool, green hills of Earth.
-- Robert A. Heinlein, 1941
-------------------------------------------
Aaron Konstam
Computer Science
Trinity University
One Trinity Place.
San Antonio, TX 78212-7200
telephone: (210)-999-7484
email:akonstam@trinity.edu
9:59 a.m.
New subject: change cyrus-imapd ssl certificate FC3
Hi there,
Can anyone walk me through, or point me to information on how to change
the certificate that cyrus-imapd is using for ssl?
My mail client is giving me the message "the local certificate belongs
to "localhost.localdomain" when I connect. I would like to make a new
certificate with the correct hostname in it.
I am guessing I need to revoke the old certifcate first, then create the
new one. I think I figured out how to make the new one, but I'm not
entirely certain of the correct way to revoke the old one. Has anyone
else done this before?
Thanks,
...Paul
10:41 a.m.
New subject: change cyrus-imapd ssl certificate FC3
Paul Bradshaw wrote:
Can anyone walk me through, or point me to information on how to
change
the certificate that cyrus-imapd is using for ssl? My mail client is
giving me the message "the local certificate belongs to
"localhost.localdomain" when I connect. I would like to make a new
certificate with the correct hostname in it.
You can either generate new key, or reuse old key. Before doing any of
the bellow, you might want to check and edit stock openssl.cnf file (in
/usr/share/ssl). In there, you can specify more IP addresses and host
names that certificate should be valid for (so you can make it valid for
localhost, hostname, 127.0.0.1, 1.2.3.4, and so on).
If you want to generate new key, you would do something like:
openssl genrsa -des3 -out key.pem 2048
To generate self signed certificate, do something like this:
openssl openssl req -new -x509 -key key.pem -out cert.pem
If you want to generate certificate request and send it to CA (that will
than issue you a certificate), ommit -x509 option.
I am guessing I need to revoke the old certifcate first, then create
the
new one. I think I figured out how to make the new one, but I'm not
entirely certain of the correct way to revoke the old one. Has anyone
else done this before?
Unless you have a way to publish your revocation list somewhere,
somehow, there's no point in revoking the old certificate.
--
Aleksandar Milivojevic <amilivojevic(a)pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
3:41 p.m.
New subject: change cyrus-imapd ssl certificate FC3
Thanks Aleksandsar,
I wised up and found the documentation. Created the certificate.
Everything's fine now. Thanks for responding. You got me on the right
track.
...Paul
Aleksandar Milivojevic wrote:
Paul Bradshaw wrote:
> Can anyone walk me through, or point me to information on how to
> change the certificate that cyrus-imapd is using for ssl? My mail
> client is giving me the message "the local certificate belongs to
> "localhost.localdomain" when I connect. I would like to make a new
> certificate with the correct hostname in it.
You can either generate new key, or reuse old key. Before doing any
of the bellow, you might want to check and edit stock openssl.cnf file
(in /usr/share/ssl). In there, you can specify more IP addresses and
host names that certificate should be valid for (so you can make it
valid for localhost, hostname, 127.0.0.1, 1.2.3.4, and so on).
If you want to generate new key, you would do something like:
openssl genrsa -des3 -out key.pem 2048
To generate self signed certificate, do something like this:
openssl openssl req -new -x509 -key key.pem -out cert.pem
If you want to generate certificate request and send it to CA (that
will than issue you a certificate), ommit -x509 option.
> I am guessing I need to revoke the old certifcate first, then create
> the new one. I think I figured out how to make the new one, but I'm
> not entirely certain of the correct way to revoke the old one. Has
> anyone else done this before?
Unless you have a way to publish your revocation list somewhere,
somehow, there's no point in revoking the old certificate.
5:45 p.m.
New subject: change cyrus-imapd ssl certificate FC3
Paul Bradshaw writes:
Thanks Aleksandsar,
I wised up and found the documentation. Created the certificate.
Everything's fine now. Thanks for responding. You got me on the right
track.
Well, unless you paid Verisign, or some other certificate authority, a
couple of hundred bucks to sign your certificate, then technically speaking
everything is definitely NOT fine.
7:15 p.m.
New subject: change cyrus-imapd ssl certificate FC3
On Tue, 30 Nov 2004 18:45:12 -0500, you wrote:
Well, unless you paid Verisign, or some other certificate authority, a
couple of hundred bucks to sign your certificate, then technically speaking
everything is definitely NOT fine.
In case anyone's interested, Comodo sells $50 root-signed certificates. They'll
even sign a 30 day cert for free just to get you up and running "until the
purchase order clears".
http://www.instantssl.com/
Sorry if that sounds like a commercial, it's just that I finally found someplace
that's cheaper than a couple of hundred bucks.
9:05 a.m.
New subject: change cyrus-imapd ssl certificate FC3
Frank Pineau wrote:
Sorry if that sounds like a commercial, it's just that I finally
found someplace
that's cheaper than a couple of hundred bucks.
There's several places that are cheaper than "couple of hundred bucks".
Verisign is not the only one selling certificate for a long time.
Some of those places will sell you wildcard certificates, and some will
sell you certificates in bulks of 5 or 10 dirt cheap.
Anyhow, if you are home user, you should ask yourself do you really need
certificate sign by CA whose root certificate is shipped with browsers.
For most home users, self signed certificate (or generating your own
root certificate and signing with it) will work quite well.
"Official" root CA signed certificates, the way they are currently being
issued, the way identity of buyer is checked, and the way they are
currently being used, are usefull only for not annoying users with
pop-up warning windows. It is not that complicated to buy forged
certificate (ask Verisign and Microsoft, they still haven't figured out
who was the guy Verisign sold certificate in MS name some time ago). If
that can happen to big name such as Microsoft, somebody buying
certificate in some home user's name would probably go quite unnoticed.
This is nothing suprising. CAs are commercial entities, so they are
after generating large volumes of profit. Strict identity checking
would severely slow down the process, customers would go to somebody
else who is "faster" (because that somebody has more loose identity
checks), so everybody is gradually lowering the bar (and no, credit card
is not sufficient identity check -- it only links couple of numbers that
are printed on the card to person who will be charged by the bank, it
doesn't say a thing about identity of person who typed those numbers
into some kind of web form, or about authority of that person to use the
card).
--
Aleksandar Milivojevic <amilivojevic(a)pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
7:37 p.m.
Am Fr, den 19.11.2004 schrieb akonstam(a)trinity.edu um 2:03:
Can someone hint how one creates this needed certificate and where
the
file resides and under what name. I saw there was a Makefile that is
supposed to do this but all I managed to do using that Makefile is
secure the httpd server so that it could not be restarted without
entering a passphrase.
Aaron Konstam
There are different possibilities how you can create (and manage) such
certificates. In any way the base tool use OpenSSL, which you can use
directly. http://sial.org/howto/openssl/ has some good papers. Some days
old documentation by Red Hat on
http://www.redhat.com/support/resources/faqs/RH-apache-FAQ/c163.html.
The Fedora OpenSSL comes with the script /usr/share/ssl/misc/CA.
One very basic thing is that the Common Name (CN) of the server service
cert has to fit it's hostname. In some cases you would only get a
warning if they differ, in other situations / with other clients the
services is deferred.
Speaking about Apache on Fedora the default location for the SSL server
hostcert is /etc/httpd/conf/ssl.crt/, for the hostkey it is
/etc/httpd/conf/ssl.key/. The location for the dovecot cert is
/usr/share/ssl/certs/. Don't know from head whether this location is
hard coded during compilation or configurable with dovecot.conf. For the
obsolete uw-imapd it was hard coded.
Hope it helps a bit.
Alexander
--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.8-1.521smp
Serendipity 02:35:44 up 1 day, 4:21, load average: 0.02, 0.26, 0.35
7095
days inactive
7108
days old
10 comments
8 participants
participants (8)
-
akonstam@trinity.edu -
Aleksandar Milivojevic -
Alexander Dalloz -
Frank Pineau -
ian douglas -
Paul Bradshaw -
Sam Varshavchik -
William Hooper