[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Markus Schönhaber dovecot at list-post.mks-mail.de
Fri Apr 18 19:29:26 UTC 2014


18.04.2014 19:57, Charles Marcus:

> Ok, been wanting to do this for a while, and I after the Heartbleed 
> fiasco, the boss finally agreed to let me buy some real certs...
> 
> Until now, we've been using self-signed certs with the following dovecot 
> config:
> 
> ssl = required
> ssl_cert = </etc/ssl/ourCerts/imap.pem
> ssl_key = </etc/ssl/ourCerts/imap_key.pem
> 
> Now, I've created new keys/certs and the CSR, got the new certs from 
> RapidSSL (and also downloaded their Intermediate bundle), saved 
> everything per their instructions, which say to reference them as follows:
> 
> ssl = required
> ssl_cert_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key_file = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca_file = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
> 
> But my current config doesn't have the _file for the variable names, and 
> the wiki doesn't use them, so I'm planning on setting these to:
> 
> ssl = required
> ssl_cert = /etc/ssl/ourNewCerts/mail.ourdomain.com.crt
> ssl_key = /etc/ssl/ourNewCerts/mail.ourdomain.com.key
> ssl_ca = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
> 
> Anyone else ever used RapidSSL certs? Does this look correct?

Yes. No.
Aside from the missing indirection (use ... = </etc/... as you did
before) the documentation indicates that ssl_ca is only used
for client certificate verification and has nothing to do with the
certificate chain of your server certificate.

Instead, cat your new server certificate together with the CA
certificates into one file and point ssl_cert to this file (see "Chained
SSL certificates" in
http://wiki2.dovecot.org/SSL/DovecotConfiguration ).

-- 
Regards
  mks




More information about the dovecot mailing list