Re: Dual certificate

[Jean-Baptiste Vignaud]

On Wed, Mar 2, 2016 at 3:44 PM, Timo Sirainen  wrote:

>
>
> Would it work if you had a single .pem file containing both certs and a
> single file containing both keys?
>

OK, just tried this configuration but only the first certificate is
working.

I used this order : rsa cert, ecdsa cert, intermediate
and this one : rsa cert, intermediate, ecdsa cert, intermediate

in this case, both rsa and ec are signed by the same intermediate.


> > In apache we have to duplicate the cert / key lines one for rsa, one for
> > edcda.
> >
> > In postfix, we have some specific ecdsa conf keys.
> >
> > So is there a way to do the same in dovecot ?
>
> Looks like from OpenSSL code point of view the same cert/key loading
> functions can simply be called multiple times. There's currently no way to
> trigger that in Dovecot. But maybe the single .pem file would happen to
> work as well? If not, this would need some config changes and I'm not sure
> what would be the nicest way..
>

Perhaps the same way as postfix, to have a  ssl_ecdsa_cert and a
ssl_ecsda_key parameters ?
Anyway, this is not urgent matters, it's just that now that let's encrypt
give free rsa and ec certificates i wanted to use them both :)

Re: Dual certificate

[l...@airstreamcomm.net]

Google multi domain certificates.  Comodo sells a multi domain wild card 
certificate that we use to host multiple SSL domains on dovecot and postfix 
successfully.  You install the single certificate and reissue and reinstall 
after adding a new domain.

> On Mar 2, 2016, at 2:02 AM, Jean-Baptiste Vignaud <flin...@gmail.com> wrote:
> 
> Hello all;
> 
> 
> Is anyone knows if it's possible to have a dual certificate setup on
> dovecot like in postfix or apache ?
> 
> i tried to add several crts in local name section  :
> 
> local_name imap.server.tdl {
> ssl_cert =  ssl_key =  ssl_cert =  ssl_key =  }
> 
> but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
> not used.
> 
> 
> to check if booth are working, i check with openssl:
> 
> openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
> imap -servername imap.server.tdl  -cipher ECDHE-RSA-AES128-GCM-SHA256 for
> rsa
> 
> and
> 
> openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
> imap -servername imap.server.tdl  -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for
> ecdsa
> 
> In apache we have to duplicate the cert / key lines one for rsa, one for
> edcda.
> 
> In postfix, we have some specific ecdsa conf keys.
> 
> So is there a way to do the same in dovecot ?
> 

Re: Dual certificate

[Timo Sirainen]

On 02 Mar 2016, at 10:02, Jean-Baptiste Vignaud <flin...@gmail.com> wrote:
> 
> Hello all;
> 
> 
> Is anyone knows if it's possible to have a dual certificate setup on
> dovecot like in postfix or apache ?
> 
> i tried to add several crts in local name section  :
> 
> local_name imap.server.tdl {
> ssl_cert =  ssl_key =  ssl_cert =  ssl_key =  }
> 
> but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
> not used.

Would it work if you had a single .pem file containing both certs and a single 
file containing both keys?

> In apache we have to duplicate the cert / key lines one for rsa, one for
> edcda.
> 
> In postfix, we have some specific ecdsa conf keys.
> 
> So is there a way to do the same in dovecot ?

Looks like from OpenSSL code point of view the same cert/key loading functions 
can simply be called multiple times. There's currently no way to trigger that 
in Dovecot. But maybe the single .pem file would happen to work as well? If 
not, this would need some config changes and I'm not sure what would be the 
nicest way..

Dual certificate

[Jean-Baptiste Vignaud]

Hello all;


Is anyone knows if it's possible to have a dual certificate setup on
dovecot like in postfix or apache ?

i tried to add several crts in local name section  :

local_name imap.server.tdl {
ssl_cert =