18.04.2014 19:57, Charles Marcus:
Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs...
Until now, we've been using self-signed certs with the following dovecot config:
ssl = required ssl_cert =
Now, I've created new keys/certs and the CSR, got the new certs from RapidSSL (and also downloaded their Intermediate bundle), saved everything per their instructions, which say to reference them as follows:
ssl = required ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
But my current config doesn't have the _file for the variable names, and the wiki doesn't use them, so I'm planning on setting these to:
ssl = required ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
Anyone else ever used RapidSSL certs? Does this look correct?
Yes. No. Aside from the missing indirection (use ... =
Instead, cat your new server certificate together with the CA certificates into one file and point ssl_cert to this file (see "Chained SSL certificates" in http://wiki2.dovecot.org/SSL/DovecotConfiguration ).
-- Regards mks