Topic: E-Mail CA Signed SSL Cert

[bubbers214]

I have purchased a CA Cert from Godaddy and they have an intermediate cert that you must install.  I have followed the instructions from this site

http://no.longer.valid/phpwiki/index.php/Creating%20a%20CA%20signed%20SSL%20Certificate

I had to add the ChainFile command to the httpd.conf file for the certficate to be trusted.  That works just fine for apache, but my mail is still saying the cert is untrusted.  How do I install the intermediate certificate into the mail program?  Thanks.

[william_syd]

I have purchased a CA Cert from Godaddy and they have an intermediate cert that you must install.  I have followed the instructions from this site

http://no.longer.valid/phpwiki/index.php/Creating%20a%20CA%20signed%20SSL%20Certificate

I had to add the ChainFile command to the httpd.conf file for the certficate to be trusted.  That works just fine for apache, but my mail is still saying the cert is untrusted.  How do I install the intermediate certificate into the mail program?  Thanks.

I can't answer you question but I have one for you.

Did the httpd.conf file that you altered have a warning at the top.... something like...

Code: [Select]

#------------------------------------------------------------
#       !!DO NOT MODIFY THIS FILE!!

?

On a side note..

Code: [Select]

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt


Did you do the first or second method ?

[bubbers214]

On a side note..

Code: [Select]

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt


Did you do the first or second method ?

That is exactly what I used.  However, I didn't actually modify the httpd.conf file as it would be overwritten everytime the server was restarted.  Instead I created a template to add that line to the httpd.conf file.

[william_syd]

That is exactly what I used.  However, I didn't actually modify the httpd.conf file as it would be overwritten everytime the server was restarted.  Instead I created a template to add that line to the httpd.conf file.

Yes, I was concerned that you would lose it next time the httpd.conf was regenerated.

There are two methods in that paragraph...

Code: [Select]

Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate.

and

Code: [Select]

Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.

[bubbers214]

Code: [Select]

Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate.

Whoops, apprently i wasn't paying attention.  This top method is the method that I used.

[william_syd]

Whoops, apprently i wasn't paying attention.  This top method is the method that I used.

I've got no experience with intermediate certificates but I wonder if the bottom method might assist with your email problems as in append your intermediate cert to your server cert and and place this combined cert where your server cert is now.

[bubbers214]

I combined the two using

Code: [Select]

cat public.crt intermediate.crt > combined.crt

It works for http (which it did before) it still however does not solve my email problem unfortunately.

[william_syd]

I combined the two using

Code: [Select]

cat public.crt intermediate.crt > combined.crt

It works for http (which it did before) it still however does not solve my email problem unfortunately.

Unfortunate.

Oh well.. time to take it to the Bug Tracker. I'm sure a SME guru will comment on it then.

[william_syd]

Something interesting I found elsewhere....

Now for a small caveat - this all assumes your certificate was signed by a root certificate authority. In some cases, the CA which signed your certificate is not a root CA, but is a CA signed by a CA (or signed by a CA who was signed by a CA who is a root CA, etc.) This is often known as a chained certificate, or a ca-bundle.

What makes things tricky is that the remote client will look at your certificate, and try to verify it against the root CAs it knows about. If there is an intermediate CA between you and the CA the client knows about, it will need this certificate to sucessfully verify your certificate. As such, the server needs to not only provide clients with its own certificate, but also those of the intermediate CAs.

In the UW-IMAP server, this is achieved by appending all intermediate certificates to the file containing your own certificate, with the highest-level certificate last. (The root certificate is not required, as the client already has it.) With this information added, your imapd.pem now looks like this:

-----BEGIN RSA PRIVATE KEY-----
ABCDEF......
  rest of key encoded here
....XYZ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
ABCDE......
  rest of certificate encoded here
....XYZ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ABCDE......
  rest of intermediate certificate used to sign previous one encoded here
  (i.e. the certificate of your CA, which is itself signed by a root CA)
....XYZ=
-----END CERTIFICATE-----

Now, SMEserver 7 uses sslio to do the secure imap stuff.

Have a look here...

Code: [Select]

/var/service/imaps/run
and

Code: [Select]

/var/service/imap/ssl/imapd.pem


The question is how does imapd.pem get created?

[william_syd]

Been thinking about this again...

Make your server key as per how to.

  Make you server crt as per how to.

  Add your intermediate cert to the end of the server cert.

  Use the db commands per the how to to set the location of crt/key files.

  Use your custom-template to point the SSLCertificateChainFile directive to the server certificate.

  Delete /var/service/imap/ssl/imapd.pem

  Do the post upgrade and reboot event commands.