All:

Does anyone know of any known-problems with couriertcpd / imapd / esmtpd encountering problems using server-side certificates with X509 v3 Extensions?

e.g.:

$ openssl x509 -text -in interface.crt.pem

X509v3 extensions: X509v3 Subject Alternative Name: email:postmaster@tld Netscape Cert Type: SSL Server, S/MIME, Object Signing X509v3 Extended Key Usage: TLS Web Server Authentication

From:

$ openssl x509 -req -in iface.csr.pem -days 365 -extfile \ private/openssl.cnf -extensions v3_req_ext -CA internal_ca.crt.pem\ -CAkey internal_ca.key.pem -set_serial serial.txt \ -out newcerts/iface.crt.pem

With openssl.cnf:

[ v3_req_ext ] subjectAltName=email:copy nsCertType = server, email, objsign # .2 = Client, .1 = Server #extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This is the way Godaddy rocks out.

I like to use the same private key / public key for my IMAP, SMTP, and Apache daemons (on a per-interface basis of course).

Every year I go through suffer through hours of self abnegation trying to re-issue certificates for a dozen F/OSS applications that all have little caveats --- This year I'm writing that shit down >:}

~BAS