|Subject:||[courier-users] Re: ssl certificates problem|
|Date:||Sep 30, 2004 2:32:01 am|
Andrei Iordache writes:
I am trying to set up imapd-ssl. If I use the mkimapdcert script, everything works fine. The problem is that the script creates a certificate file with both private and public keys in it. If I try to split it in 2 like this:
-----BEGIN RSA PRIVATE KEY----- Private key stuff -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- Certificate stuff -----END CERTIFICATE-----
You may want to read up a bit about this stuf works. But in short, just extract the certificate stuf from the courier generated file and import only that in your mailclient. Leave the courier generated file alone.
and I instruct [for example] imapd-ssl to use the courier-key.pem (after I import the file courier-cert.crt in my email client ie Outlook Express), it doesn't work anymore. I find in the logs something like
k-server imapd-ssl: couriertls: /path-to-the-certificate/courier-key.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
That's right, there is no certificate, so there is no startline.
This also happens if I generate the certificate manually with openssl (a x509 that is, i have read the documentation, it says that "SSL requires a valid, signed, X.509 certificate to be installed where Courier expects to find it") and if I put the private key into a separate file than the public (the actual ceritificate, isn't it?) one. I also am making sure that both files have a new end-line each.
Am I doing something wrong ?
You are not providing the certificate to courier, so it cannot work.
A PEM file can contain any number of items, and a program can load one or more items from a PEM file. Depending on how the software is set up, one can have settings for a private key file and a certificate file (which may point to the same PEM file), or the software dictates the private key and certificate should be in the same PEM file by only providing one combined setting for this. Reading your problem, I assume courier is in this second catagory, which is fairly common btw.
Remember that a certificate must be present at both ends of the connection (commonly achieved by sending it over from server to client at connection setup), but the corresponding private key should only be at the server side (client and server as in who consumes and who provides authentication, not an IMAP server or so).
Importing the certificate in the client is a good way to make sure you are really talking to a particular webserver. Without further setup, a certificate only assures you are talking over an encrypted channel, not who you are talking to and not even that this channel is end-to-end (man in the middle attack possible). Importing certificates into your mailclient solves these problems.
But another possibility (I don't know if outlook supports this) would be to create your own CA, generate a root certificate, sign the mailserver certificate with this CA certificate, import the root certificate into the client and tell the client to only accept certificates signed by this CA. By setting up things this way, you can regenerate mail certificates and have the client automagically accept only servers with an certificate issued by you. Very useful from a continuity point of view, you can add backup MXen, migrate mailservers, etc without having to reconfigure clients.
-- Courier-mta rocks!