LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Can I use a regular certificate for cyrus imap? (https://www.linuxquestions.org/questions/linux-server-73/can-i-use-a-regular-certificate-for-cyrus-imap-661004/)

ganz_friedrich 08-06-2008 06:53 PM
Can I use a regular certificate for cyrus imap?
 
Dear All,

Is it possible to use a regular certificate that I use for my website with cyrus imap as well? I purchased the certificate from godaddy and so it requires a chain certificate.

I have:

a .key file with the private key
a .crt file for the domain's certificate
a .crt file for the chain certificate (intermediate bundle).

(I don't know if the .key is a standard file extension, but inside the file we have:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: ...and so on)



If I had to guess, I would say I need to some how convert all of these into a .pem file for cyrus.

Thank you

digitalnerds 08-08-2008 10:04 AM
Hey

I, personally see no reason to use a regular cert (i mean commercial) with cyrus since you need the TLS/SSL capab of cyrus only for encryption rather than identification. I suggest generating a custom one.

Code:
openssl req -new -nodes -out req.pem -keyout key.pem 
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999

mkdir /var/imap

cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem

chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected

echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf
Regards
Andy

ganz_friedrich 08-25-2008 09:00 AM
Thank you very much for your response and I apologize for the delay in replying.

Why would you not need a regular certificate for identification in this case? Even if it's not necessary, a self-generated certificate brings about a warning for clients.

Thanks again.

chort 08-25-2008 09:22 AM
The files you got from Godaddy look like they're already PEM formatted. All you have to do is append the chain bundle to your root CA bundle, wherever that is... it's often called ca-bundle.crt .

You can append your intermediate bundle to the root CA bundle like this:
Code:
# cat intermediate-bundle.crt >> ca-bundle.crt
be very, very careful that you use two angle brackets (append) rather than one (overwrite).

PS Don't use a self-signed cert if you already bought a trusted signature. That's going totally backwards in terms of security and anyone who suggests that should be ashamed of themselves.

digitalnerds 08-27-2008 07:20 PM
Quote:
Originally Posted by chort (Post 3259018)
PS Don't use a self-signed cert if you already bought a trusted signature. That's going totally backwards in terms of security and anyone who suggests that should be ashamed of themselves.

I am afraid i still sustain my opinion and i am NOT ashamed of myself for suggesting this. I see nothing backwards in terms of security as, again, it is being used for encryption rather than identification.
By all means if he bought a valid cert for this very purpose then he should use it. But if he bought a single cert that he can use for web instead of mail then he should generate a self-signed one. That's what i would do anyway.

Regards

sin0nyx 08-27-2008 10:01 PM
But won't a self-signed certificate prompt the end user with warnings? Is there anything stopping him from using the certificate for both sendmail and web?

chort 08-27-2008 11:01 PM
Quote:
Originally Posted by digitalnerds (Post 3262081)
I am afraid i still sustain my opinion and i am NOT ashamed of myself for suggesting this. I see nothing backwards in terms of security as, again, it is being used for encryption rather than identification.
By all means if he bought a valid cert for this very purpose then he should use it. But if he bought a single cert that he can use for web instead of mail then he should generate a self-signed one. That's what i would do anyway.

Regards
THERE IS NOT POINT IS HAVING ENCRYPTION IF IT'S NOT AUTHENTICATED. I don't know how much more clear I can be. Yes, it is a step backwards in security, because without authentication the connection is dead-simple to attack and the encryption is meaningless because the data can be sent anywhere (ooh, but it will be encrypted all the way to the Russian mafia's botnet, so it will be really secure as they steal it!).

If you don't understand what certificates are for, kindly refrain from talking about them.

By the way, to show how ignorant you are there are not separate certs for web servers vs. e-mail servers. A server cert is a server cert. There are some special extensions that deal with other aspects (such as code-signing, revocation, etc) but those are extended attributes and don't come into play in this case. You can absolutely use a "web server cert" for an e-mail service as long as the hostname is the same (which it certainly appears to be in this case).

And to answer the question, YES your users will get security warnings if you use a self-signed cert, and for good reason: IT'S INSECURE!

Just simply scrambling data is not "dust your hands, you're all secure and done" security. It matters who can unscramble the data, and unless you're authenticating the connection, that means anyone can pretend to be you and unscramble it. So tell me, what is the point of encrypting something if anyone can decrypt it?

Just because you read blogs from half a dozen security-illiterate, lazy, careless, and uninformed web developers doesn't mean they're right. The Mozilla dev team is correct, and all the people crying about self-signed certs are dead wrong. Self-signed certficates are not security, they're false security that will lie to users and trick them into surrendering data that they should not have sent because it isn't actually protected. That is worse than no encryption, because at least with no encryption you know you aren't protected.

PS for sin0nyx, no there is nothing stopping someone from using a certificate for both Sendmail and Apache.

PPS digitalnerds, just because you would do something doesn't mean it's smart, and certainly doesn't mean someone else should do it. That's a terrible justification for giving any advice, especially when you clearly don't understand how TLS and X.509 are designed to work (let alone basic security principles).

digitalnerds 08-30-2008 04:56 PM
Yes i think you are working for a SSL certs issuing company. I didnt intended to start a flame war. Maybe you should get some anger management sessions. I never said there are separate mail certs and separate web certs.

ANYWAY i think a mod can close this topic. Unless you want to write countless lines of text just because you NEED to be right.

DUH!


All times are GMT -5. The time now is 11:45 PM.