Package: uw-imapd Version: 7:2002edebian1-11sarge1 Severity: minor Tags: patch
Hi, I recently configured UW IMAPD to use a "real" SSL certificate signed by my own CA. However, I found the process a little confusing, mostly because I wasn't sure how to create the new PEM file in /etc/ssl/imapd.pem. Would you mind including a few paragraphs on this subject in README.Debian? I have taken a first pass at describing what to do, and the results are in the attached patch. You can feel free to modify it as you wish. Thanks, KEN -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=en, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US) Versions of packages uw-imapd depends on: ii debconf 1.4.30.13 Debian configuration management sy ii libc-client2002e 7:2002edebian1-11sarge1 UW c-client library for mail proto ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libcomerr2 1.37-2sarge1 common error description library ii libkrb53 1.3.6-2sarge2 MIT Kerberos runtime libraries ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii netbase 4.21 Basic TCP/IP networking system ii openssl 0.9.7e-3 Secure Socket Layer (SSL) binary a -- debconf information: * uw-imapd/force_debconf_choice: true * uw-imapd/protocol: imaps -- Kenneth J. Pronovici <[EMAIL PROTECTED]>
--- README.Debian 2005-10-23 23:48:35.505974608 -0500 +++ README.Debian.new 2005-10-24 00:05:11.143614680 -0500 @@ -16,6 +16,32 @@ in the openssl package to generate your own. +Using a real SSL certificate +============================ + +If you already have your own SSL certificate, either one from Verisign or one +signed by your own CA (certificate authority), using your certificate with UW +IMAPD is easy. A PEM file is simply the combination of a key and a +certificate, and you already have both. + +First, you must make sure to use your "insecure" server key, and not the +original key that has a passphrase associated with it. If you use the original +key, client connections will hang, and you will end up with a lot of "stuck" +imapd processes all waiting for passphrase input that will never arrive. If +you don't have an "insecure" server key available, generate one using a command +something like this (and protect it with sensible permissions): + + openssl rsa -in server.key -out insecure.key + +To generate the PEM file, take your "insecure" server key and and cat that +together with your server certificate, something like this: + + cat server.crt insecure.key > imapd.pem + +Of course, you will have to repeat this step each time your server certificate +changes (for instance, when it expires and is re-issued). + + Authentication ==============
signature.asc
Description: Digital signature
