* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [10-10-05 10:46]: > Hello All, > > I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my > system. > > I want users to be able to install certificate on their computer (on OE or > another mail-client) and not press "Yes" on the nag screen on every login. > How can I do it so client certificate only contain the public portion of the > certificate (so it is secure to publish this certificate on the net)? This depends on the client used and it's highly specific. And has nothing to do with cyrus.
> Background Info: > This is how I've created certificates: > # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out > cert.pem > # ls > . .. cert.pem privkey.pem > # cat privkey.pem cert.pem > /etc/ssl/certs/cert.pem > # mv -f privkey.pem /etc/ssl/certs/skey.pem > # chown cyrus:mail /etc/ssl/certs/cert.pem > # chmod 600 /etc/ssl/certs/cert.pem It is enough to provide the client with the certificate and import it into it's trust database (as I said, depends on the application). Depending on the application you might want to convert it to DER (with openssl x509 -in ... -out cert.der -outform der ). The private part is the privkey.pem and that you should keep safe. For windows (OE) you have to use the mmc program, TB has a special settings tab which lets you import in PEM format, I don't know about other clients on windows. mitu ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
