Updated my Dovecot certificate for the first time

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Fri Nov 25 07:26:44 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 24 Nov 2016, Steve Litt wrote:
> On Thu, 24 Nov 2016 07:52:51 +0100 (CET)
> Steffen Kaiser <skdovecot at smail.inf.fh-brs.de> wrote:
>> On Wed, 23 Nov 2016, Steve Litt wrote:
>>
>>> On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers
>>> <gcr+dovecot at tharned.org> wrote:
>>>> $ strings $(whence alpine) | grep '^/.*certs$'
>>>> /etc/ssl/certs
>>>
>>> The directory or the certs isn't the problem. Alpine sees the
>>> self-signed cert I just made, but complains because it's
>>> self-signed, and gives me the choice between saying "yes" every
>>> time, and just not checking for certs at all.
>>
>> "sees the self-signed cert"?
>> Did you've added it as trusted to the CA as Greg said and wrote what
>> to do?
>
> No. I don't want to deal with a third party "Trusted Party": I want  it
> self-signed. What I was looking for was a way Alpine could be set to
> check for a cert, warn if the cert is conflicting, but not warn if it's
> self-signed.

Er, question: what is a self-signed cert?
A cert signed with a CA that is itself.

How can a client trust a cert?
Because beginning with the cert presented by the server, the client walks 
up the cert chain, until it reaches either a missing cert or a trusted 
cert.
In latter case, trust is given -> no warning.
In first case, no trust -> warning.

So, because there is just one certificate involved with self-signed certs, 
you have to follow Greg's advice and make it trusted on your system.

Maybe, Frank-Ulrich's suggestion is even better. Roll your own CA. Mark 
the CA cert as trusted on your system and sign as many certs with it, as 
you wish.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWDfntHz1H7kL/d9rAQJjDAgAj4xJEFD+j9o+UMn+gKOFR/6fqYn/L3kz
YwueoBi0+WSZR1rv3V1sZhCsfQDcU7zcrYIwt7ZhxOj9RE0g+20jo0qTPYHrX8ym
m0cfv87az/UjZuK2HeKJL6u8ywoGQUQL0TxTiXOCdiQfKQwdPtIYJmtOSmNvyNce
NlWNAZEgn1bJRJCbASWDIPypSnBNrAiMssjheEPV8XV7AZYR/ShjnqXCKoxohjY3
DCPwDqe53t3znwoqtAsocecqXVk6oentDiUbrcu9y9zBAeqBR/ScSR+p3+N45l16
NFIkeySHEIqmUiv+iagt6dy+XdFg/Wk6HHzvO3YC4c2S3RSrrUPm7g==
=kva+
-----END PGP SIGNATURE-----

More information about the dovecot mailing list