ot: self certified enduser browser/mail client install?

newer
Permission denied to access the...

older
Re: is a self signed certificate...

voytek＠sbt.net.au

21 Aug 2017 21 Aug '17

2:37 a.m.

I have self certified Dovecot as so:

ssl = required ssl_cert =

in order for end user to avoid webmail warnings or email client warnings, do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users say under httpd://webhost/tld/certificate/dovecot.pem

and, tell users to import dovecot.pem (from /etc/pki/dovecot/certs/dovecot.pem) into their PC/browser/mailclient certs?

(sorry for dumb Q, but I thought I should ask before I commit some fundamental stuffup)

Show replies by date

Christian Kivalo

21 Aug 21 Aug

8:25 a.m.

Am 21. August 2017 01:37:26 MESZ schrieb voytek@sbt.net.au:

...

I have self certified Dovecot as so:

ssl = required ssl_cert =
in order for end user to avoid webmail warnings or email client warnings, do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users say under httpd://webhost/tld/certificate/dovecot.pem

and, tell users to import dovecot.pem (from /etc/pki/dovecot/certs/dovecot.pem) into their PC/browser/mailclient certs?

(sorry for dumb Q, but I thought I should ask before I commit some fundamental stuffup) You would publish the ca cert to your users, thats the one you used to sign your cert.

Christian Kivalo

Steffen Kaiser

8:49 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Mon, 21 Aug 2017, voytek@sbt.net.au wrote:

...

in order for end user to avoid webmail warnings or email client warnings, do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users say under httpd://webhost/tld/certificate/dovecot.pem

Most likely yes. It should work regardless if the cert is self-signed or not.

However, you could try to find the upper-most cert by running

openssl x509 -in /etc/pki/dovecot/certs/dovecot.pem -noout -text|less

Check out the Issuer and Subject near the top of the outout:

 Signature Algorithm: sha256WithRSAEncryption
     Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me@example.com
     Validity
         Not Before: Aug 21 05:36:49 2017 GMT
         Not After : Aug 21 05:36:49 2018 GMT
     Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me@example.com

If both are the same, it's the correct one. Then you really have a self-signed certificate. Otherwise hunt for the "issuer" cert and hand that your users. That would be your CA cert.

Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEVAwUBWZp0Tnz1H7kL/d9rAQJcIQf/ZwxUQPbiTEyQyPfyE+Xk/4AVrvgV7C3s lBqeIfNT54UDlu8p7kzNRau1Kmt+nTwQWsLYBY5hlZmZ51RI0p1UbnKufNT3MBAZ hOS0QdSvC6ZU2MzQb0tXRAIEP/dCWu1HlQSi/ov9Fp4UlYg5DsnQee9xwWucyIZb a5nBKonHvaTJpj3YHYKVZojx215uFOFzOJ928khof7KwEqXmTEmTQ+bdLtTHVFWr JSIdez3j1lUOpAmAgG05tAgGfwdArfx3DpVY8tIAEj5rRpZ4nfEM/lvPDndrzP0I ovWb7FQDJrnv7t8YO8u3AxUQYUC/lHYtMzq4s9Dgm2LFEC3z9rbOoA== =6qb8 -----END PGP SIGNATURE-----

2653

Age (days ago)

2654

Last active (days ago)

List overview

2 comments

3 participants

participants (3)

Christian Kivalo
Steffen Kaiser
voytek＠sbt.net.au