On Thu, 2009-07-30 at 20:37 +0300, Evaggelos Balaskas wrote: > openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days > 1825
I guess this is ok, but to prevent confusion let's say these were client.crt and client.key instead. > # Country Name (2 letter code) [AU]:GR > # State or Province Name (full name) [Some-State]:Athens > # Locality Name (eg, city) []:Aigaleo > # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr > # Organizational Unit Name (eg, section) []:Mail Apps > # Common Name (eg, YOUR name) []:myhome > # Email Address []:ebalas...@ebalaskas.gr > > openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \ > -name "dovecot Certificate Client" -out dovecot.p12 Again client.crt, client.key here. > openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out > dovecot.crl -selfsign What do you do with the dovecot.crl here? It's a client CRL and unless you add it to the Dovecot's CRL list it's not necessary. Also the -selfsign is ignored.. > I've imported the dovecot.p12 to thunderbird certificates and > dovecot.crt to thunderbird authorities > (i've tried claws mail too - same errors) OK. > ssl_ca_file: /opt/certificates/dovecot/dovecot.crl This is probably where the problem is. This file must contain the CA certificate and the CRL, not just the CRL. And initially the CRL should be empty. > ssl_cert_file: /opt/certificates/dovecot/dovecot.crt > ssl_key_file: /opt/certificates/dovecot/dovecot.key And I hope these dovecot.* files aren't the same you just generated for the client?
signature.asc
Description: This is a digitally signed message part
