Re: /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
On 2015/2/16 16:28, Jochen Bern wrote:
It would be nicest if all the software wanted things configured things the same way. Personally I like the way Dovecot does it, but having things be uniform would be even better. From my quick survey, a lot of the programs (or at least their documentation) doesn't support CRLs at all.
Postfix wants multiple certificates specified by different .cf entries (it appears to not support CRLs--at least they aren't mentioned in documentation):
smtpd_tls_cert_file
smtpd_tls_key_file
smtpd_tls_dcert_file
smtpd_tls_dkey_file
smtpd_tls_eccert_file
smptd_tls_eckey_file
smtpd_tls_CAfile
Apache2.4 wants
SSLCertificateFile
SSLCertificateKeyFile
repeated multiple times for different cert types. Making it worse, Apache2.4.8 wants the whole cert chain in the above, but earlier versions wanted SSLCertificateChainFile to have the non-leaf chain.
Courier IMAP SSL wants
TLS_CERTFILE
specifying a file containing both the certificate and private key catenated.
OpenVPN wants
ca certificate chain used for signing.pem
cert certificate.pem
key privatekey.pem
crl-verify crl.pem
OpenLDAP appears similar to OpenVPN with (appears not to support CRLs):
TLSCACertificatePath
TLSCertificateFile
TLSCertificateKeyFile
Racoon wants (appears not to support CRLs):
certificate_type x509 certfile keyfile
ca_type x509 ca.pem
But the man page doesn't talk about where the chain goes.
So it appears one should generate the following file formats to satisfy all the software out there:
- cert standalone (OpenVPN, Racoon, OpenLDAP, Postfix, Apache 2.4.7 and earlier)
- cert chain (Apache 2.4.8 and later)
- cert ca crl chain (Dovecot)
- ca chain (OpenVPN, Racoon?, OpenLDAP, Postfix, Apache 2.4.7 and earlier)
- crl chain (OpenVPN)
- cert, key catenation (Courier IMAP)
Getting all these configured the same way isn't going to happen, so I guess the next best thing would be a cookbook. Anyone know of one?
-Earl
participants (1)
-
dovecot@lists.killian.com