My self-signed SSL certificates (for Postfix & Cyrus-IMAP) have just
expired and so I'm faced with once again trying to decipher (heh) the
multitude of instructions for setting this up. I still have my notes
from a year ago but, though everything's been working fine (AFAIK), I'm
not convinced that what I'm doing is correct. I've read many tutorials
online but each one seems to confuse the issue further.
For one thing, before I'd even started, I'd found some cert files
already existed. I believe they were set up by the Apache rpm. In any
case, I just ignored them, as I'm not currently using SSL through
Apache. I probably will want to use it in the future, however I don't at
all understand how/why these already exist, as they couldn't possibly
contain the correct information (commonName, organizationName, etc).
So, anyway ... I'd like to create new certs and, at the same time, clear
out some of the deadwood under the /etc/pki tree and attempt to get all
of this into proper order.
This is my current setup:
/etc/postfix/main.cnf:
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_cert_file = /etc/pki/postfix/newcert.pem
smtpd_tls_key_file = /etc/pki/postfix/newkey.pem
/etc/imapd.conf:
tls_ca_file: /etc/pki/tls/certs/cacert.pem
tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem
tls_key_file: /etc/pki/cyrus-imapd/newkey.pem
I have no idea what I was thinking when putting these in separate
directories. I assume that's a redundancy I can do without.
/etc/httpd/conf.d/ssl.conf:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Here, localhost.crt and localhost.key were created by something other
than myself. I have no idea what they're good for, if not self-signed.
However, I'm guessing that I could probably create a cert/key.pem pair
and use them for Postfix, Cyrus, and Apache. Note, though, that the
httpd versions are not PEMs, so that's another source of confusion.
This is from my notes for Postfix/Cyrus:
-- snip --
# cd /etc/pki/tls/misc
./CA_noDES -newca
[creates key file in /etc/pki/CA/private/cakey.pem]
./CA_noDES -newreq
[creates newkey.pem & newreq.pem]
./CA_noDES -sign
[creates /etc/pki/CA/cacert.pem]
ADD THE PRIVATE KEY
# cat /etc/pki/CA/private/cakey.pem
copy this into:
# vi /etc/pki/CA/cacert.pem
# cp /etc/pki/CA/cacert.pem /etc/pki/tls/certs/
-- snip --
Could/should I simply use the above instructions to create:
/etc/pki/tls/certs/localhost.crt.pem
/etc/pki/tls/private/localhost.key.pem
... and use these for all 3 apps?
Also, I'm not really clear (surprise, surprise) on the purpose of the
last line. Why should I copy cacert.pem from one directory to another? I
understand that the CA dir is readbale only by root. However, by copying
the file elsewhere, that security seems superfluous.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
