-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
|From: |Hans Müller <ndof@xxxxxx> |Date: |Wed, 09 Feb 2005 14:36:24 +0100
|Hello, I have a problem with dovecot and SSL |I have my certificate. But when I start DC, the comes no question for >the |passphrase for the keyfile. So I get the error in the log file: |imap-login: Can't load private key file /etc/raddb/certs/server.key |I will use for my radius and dc the same certificate. What must I do,s |so the i will be askte for the keypassword??
What it comes down to is that it won't. The certificate must be stored as plaintext, unencrypted. This is not as much of a security problem as it might seem if the file permissions (and SELinux policies if you use the strict mode) will protect non-rrot from reading the file. If someone can obtain root permissions, they can probably contrive to read the unencrypted key in memory even if it was encrypted on disk. Also, asking for the passphrase means that the server cannot start automatically (for instance, when the system responds to a UPS, shuts itself down, then comes back up) or be restarted through a management interface (e.g. webmin's system monitor).
as the previos poster says, you can generate a new key that is unencrypted. If it is a self-signed key that has not yet been used, that is fine. If clients have already installed the old key (or it has been signed by a certificate authority), it is better to unencrypt the old key:
openssl rsa -in encryptedkeyfile.pem -out unencryptedkeyfile.pem
"man rsa" for more info on how this works.
Incidentally, if you do have a CA signed key, you should be aware that dovecot does not support "chained roots", or keys which are signed by a CA's subkey rather than the root key itself. If your CA sent you a "chained root file", often called "chained.pem", add it to the end of your key file, thusly:
cat chained.pem yourdomaincert.pem >> yourdomaincert-chained.pem
And make sure dovecot is told to use yourdomaincert-chained.pem. This makes the mail program deal with the verification problem itself and works with at least some of the mail programs (e.g. Thunderbird, Mac Mail gives a warning anyway - ***sigh***). It should not hurt radius to use the chained key (though I have not tried it myself).
[If this is not a CA signed key or they did not say anything about "chained roots", ignore this last.] - -- Eric Vought
Technical Director, Diversity Ink, Morgan Family Enterprises Web Hosting and Site Design for Small Business and Not-for-Profit (http://www.diversityink.com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCCsFuGqlqMhx2Xb0RAv8PAJwLF2k5uqA9Jeih4/9iJxFeCwtKpQCferpN NUbFmIuU7XmqeewO3tekPMM= =VGg6 -----END PGP SIGNATURE-----
begin:vcard fn:Eric Vought n:Vought;Eric org:Diversity Ink adr;dom:;;;Republic;MO email;internet:evought@xxxxxxxxxxxxxxxx title:Technical Director x-mozilla-html:FALSE url:http://www.diversityink.com version:2.1 end:vcard
