[Dovecot] client certs with godaddy ssl cert
Rainer Frey (Inxmail GmbH)
rainer.frey at inxmail.de
Mon Sep 29 09:40:55 EEST 2008
On Saturday 27 September 2008 03:43:19 Harondel J. Sibble wrote:
> I've read the client ssl cert section in the wiki and it talks about using
> a self signed cert, if I am using a commercial cert, in this case godaddy,
> how do I implement a self signed cert for the client side and have dovecot
> make use of this? I know the mechanics of setting up the self signed ca,
> the question is more what configuration changes do I need to make in
> dovecot to handle both godaddy and the self signed ca functionality?
If I understand you correctly, you're using the godaddy certificate as the
server certificate only. This is fine, AFAIK the server certificate can be
completely independent from any client certificate.
What is important: you can not self-sign each client certificate, but you need
a CA with a self-signed root instead. I think you understand that already,
just noting that for completeness.
Then you simply configure Dovecot as described in
http://wiki.dovecot.org/SSL/DovecotConfiguration
In short: Put your godaddy SSl certificate, and then the complete hierachy of
godaddy CA certificates (I don't know how many levels they have) in
(e.g.) /etc/ssl/dovecot.pem, and set ssl_cert_file=/etc/ssl/dovecot.pem.
Don't forget to set the path to your private key or add it to the beginning
of your cert file. This handles SSL/TLS for the server.
Then create the CA root certificate, and any sub-CA certificates if you want
to implement a multi-level CA. For each hierarchy level generate a CRL
(Certificate Revocation List). Then, from the most specific sub-CA down to
the root, concatenate each CA cert and the corresponding CRL to one file, and
set this file as ssl_ca_file. The order is important, and needs to be (if
existing):
* Issuing CA cert
* issuing CA crl
* Intermediate CA cert
* intermediate CA crl
* Root CA cert
* Root CA crl
Then configure client cert verification as described in the last section of
above mentioned wiki page.
To sum it up:
ssl_cert_file is responsible for server side TLS/SSL and needs to contain the
complete verification path for the server certificate. It has no influence on
client certs.
ssl_ca_file is used for client cert verification only, and does not need to
cover the server certificate.
So you can use commercial server cert and the self-managed client certs. You
might want to consider though: your clients need to import the client cert
you issue, and your root CA certificate as trusted cert. If *all your SSL/TLS
clients* also get a client cert, you can also issue the server cert yourself,
a commercial cert provides no extra value in that case.
> Thanks
Regards
Rainer Frey
--
Software Developer
------------------------------------------------------
Inxmail GmbH
rainer.frey at inxmail.de, www.inxmail.de
Handelsregister Freiburg, HRB 5870
Ust.-ID: DE198371679
Geschäftsleitung: Martin Bucher, Peter Ziras
More information about the dovecot
mailing list