Hello all;
Is anyone knows if it's possible to have a dual certificate setup on dovecot like in postfix or apache ?
i tried to add several crts in local name section :
local_name imap.server.tdl { ssl_cert = <server_rsa_crt.pem ssl_key = <server_rsa_key.pem ssl_cert = <server_ecdsa_crt.pem ssl_key = <server_ecdsa_key.pem }
but it seems that dovecot takes the last one (ecdsa) and that rsa cert is not used.
to check if booth are working, i check with openssl:
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls imap -servername imap.server.tdl -cipher ECDHE-RSA-AES128-GCM-SHA256 for rsa
and
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls imap -servername imap.server.tdl -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for ecdsa
In apache we have to duplicate the cert / key lines one for rsa, one for edcda.
In postfix, we have some specific ecdsa conf keys.
So is there a way to do the same in dovecot ?
On 02 Mar 2016, at 10:02, Jean-Baptiste Vignaud <flint42@gmail.com> wrote:
Hello all;
Is anyone knows if it's possible to have a dual certificate setup on dovecot like in postfix or apache ?
i tried to add several crts in local name section :
local_name imap.server.tdl { ssl_cert = <server_rsa_crt.pem ssl_key = <server_rsa_key.pem ssl_cert = <server_ecdsa_crt.pem ssl_key = <server_ecdsa_key.pem }
but it seems that dovecot takes the last one (ecdsa) and that rsa cert is not used.
Would it work if you had a single .pem file containing both certs and a single file containing both keys?
In apache we have to duplicate the cert / key lines one for rsa, one for edcda.
In postfix, we have some specific ecdsa conf keys.
So is there a way to do the same in dovecot ?
Looks like from OpenSSL code point of view the same cert/key loading functions can simply be called multiple times. There's currently no way to trigger that in Dovecot. But maybe the single .pem file would happen to work as well? If not, this would need some config changes and I'm not sure what would be the nicest way..
On Wed, Mar 2, 2016 at 3:44 PM, Timo Sirainen <tss@iki.fi> wrote:
Would it work if you had a single .pem file containing both certs and a single file containing both keys?
OK, just tried this configuration but only the first certificate is working.
I used this order : rsa cert, ecdsa cert, intermediate and this one : rsa cert, intermediate, ecdsa cert, intermediate
in this case, both rsa and ec are signed by the same intermediate.
In apache we have to duplicate the cert / key lines one for rsa, one for edcda.
In postfix, we have some specific ecdsa conf keys.
So is there a way to do the same in dovecot ?
Looks like from OpenSSL code point of view the same cert/key loading functions can simply be called multiple times. There's currently no way to trigger that in Dovecot. But maybe the single .pem file would happen to work as well? If not, this would need some config changes and I'm not sure what would be the nicest way..
Perhaps the same way as postfix, to have a ssl_ecdsa_cert and a ssl_ecsda_key parameters ? Anyway, this is not urgent matters, it's just that now that let's encrypt give free rsa and ec certificates i wanted to use them both :)
Google multi domain certificates. Comodo sells a multi domain wild card certificate that we use to host multiple SSL domains on dovecot and postfix successfully. You install the single certificate and reissue and reinstall after adding a new domain.
On Mar 2, 2016, at 2:02 AM, Jean-Baptiste Vignaud <flint42@gmail.com> wrote:
Hello all;
Is anyone knows if it's possible to have a dual certificate setup on dovecot like in postfix or apache ?
i tried to add several crts in local name section :
local_name imap.server.tdl { ssl_cert = <server_rsa_crt.pem ssl_key = <server_rsa_key.pem ssl_cert = <server_ecdsa_crt.pem ssl_key = <server_ecdsa_key.pem }
but it seems that dovecot takes the last one (ecdsa) and that rsa cert is not used.
to check if booth are working, i check with openssl:
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls imap -servername imap.server.tdl -cipher ECDHE-RSA-AES128-GCM-SHA256 for rsa
and
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls imap -servername imap.server.tdl -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for ecdsa
In apache we have to duplicate the cert / key lines one for rsa, one for edcda.
In postfix, we have some specific ecdsa conf keys.
So is there a way to do the same in dovecot ?
participants (3)
-
Jean-Baptiste Vignaud
-
list@airstreamcomm.net
-
Timo Sirainen