Mailinglist Archive: opensuse (982 mails)

< Previous Next >
Re: [opensuse] When connecting to my own dovecot server, Alpine complains that it is using self-signed certificates.
On 09/01/2014 01:05 PM, Carlos E. R. wrote:
On 2014-09-01 19:38, Per Jessen wrote:
Carlos E. R. wrote:



What I need now is to create a "Certificate Signing Request" from the
already existing dovecot server certificate, or create a new dovecot
certificate together with the corresponding CSR.

I go thru that everytime I install a new HP server. The certificate is
issued by a card on the server (ILO card). I then sign it:

openssl ca -policy policy_anything -days 3650 -in server-ilo.csr -out
server-ilo.crt


Not that.

Apparently I have to do something like this:

openssl req -new -keyout server.key -out server.csr

But that creates the key anew. I would have to find a concoction that
given the existing server.key generates the server.csr. I need to
produce the server.csr. I don't have it. What I have is
/etc/ssl/dovecot.pem and /etc/ssl/private/dovecot.pem.

Alternatively I run again the /usr/share/doc/packages/dovecot/mkcert.sh
script changing it appropriately so that it also generates a dovecot.csr
file. The current code is this:

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \
-out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2




Carlos,

I automated this process such that all keys, signing reqs, and cert files are generated (it also used to set the a2en flag for opensuse http/ssl. It has been adapted several times, and don't forget to change the config information in the middle of the script. (or your certs will be issued by me :). Give it a look and a run. It's all you need to configure yourself with self-signed certs:

http://www.3111skyline.com/dl/dev/scr/arch/apache-ssl-Arch

Read through it first. Confirm the paths you want, etc. At one point during csr creation you provide a temp password. It can be anything like tmp, it doesn't matter, that is removed later in the script (so you are not prompted on each httpd start. Once you add the config info of your own, then it is as simple as ./apachessl www.yourcn.com

and all will be done :)



--
David C. Rankin, J.D.,P.E.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >