I have that config working on rh7.2. but I didn't need the openssl s_client bit. As long as the cert+priv. key file's in the right place, it all worked (althouh I think I removed some of the read access on the directories as they seemed too lax). I can't remember where they should be at the moment, but they do need to have the right name too (impad.pem, or similar).
I do have problems at the other end on windows xp, but they're more pain in the bum than fatal. tc > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Victor > Danilchenko > Sent: 15 August 2002 14:26 > To: [EMAIL PROTECTED] > Subject: Re: Help with using SSL certificate with IMAP?.. > > > A followup: > > First of all, I forgot to mention the IMAP server type. > It's UW IMAP 2001. > > Secondly, some time after I posted the message, I > realized that I made a stupid error: of course both the > private and the public keys are needed! but I originally was > confused about the key generation process. > > Anyway, so I re-did the steps, generating the server > private key, then the certificate request, then signing the > request with my CA key and certificate. Then I concatenated > the server private key and the certificate, emplacing the > result as "imapd.pem" -- and nothing happens. or rather, the > IMAPD server does start up (instead of just refusing to run), > but it does so rather uselessly: it doesn't actually *do* > anything, not even establish the SSL connection: > > [root ssl.crt]# openssl s_client -connect somesystem:993 > CONNECTED(00000003) > > and that's where it freezes, sitting in place > uselessly. The /var/log/messages contained nothing relating > to the bad connections, and I could find no way to enable > some sort of verbose or debug logging in UW imapd. > > Out of curiosity, I used the same .cnf file to generate > a self-signed certificate; and that one worked like a charm, > even including various extensions (cert type, x509 basic > constraints, revocation URLs, etc.) so the problem doesn't > seem to lie in a bad .cnf file. I am missing something > obvious here, i suspect, and I don't know what it is. > > For reference, here is the full sequence of steps I > took to generate the CA and the server certificate -- the one > that doesn't work: > > 1) generate CA private key (I tried both RSA and DSA, with the same > lack of result): > openssl genrsa -des3 -out ca.key 1024 > > 2) Generate self-signed CA certificate: > openssl req -new -x509 -days 400 -key ca.key -config > ca.cnf -out ca.pem > > 3) Generate server private key: > openssl genrsa -des3 -out cscf.key 1024 > > 4) Generate certificate request: > openssl req -new -key cscf.key -config cscf.cnf -out cscf.csr > > 5) Sign certificate request with our self-signed CA: > openssl ca -cert ca.pem -keyfile ca.key -config > cscf.cnf -in cscf.csr -out cscf.pem > > And when I cat together the resulting cscf.key and > cscf.pem into imapd.pem, nothing happens -- the IMAPD server > with this imapd.pem cert accepts connections, but doesn't do > any SSL negotiations. > > Can anyone help?.. Please? > > On Wed, 14 Aug 2002, Victor Danilchenko wrote: > > > A newbie here... Some help is much needed. > > > > We are trying to set up our own CA; so I muddled > through private key > >generation (DSA), CA generation, certificate request, and > finally the > >leaf certificate signing. Now I am trying to test the setup: got > >Mozilla to accept the CA certificate, and I tried to configure IMAPS > >with the generated client cert -- and it doesn't work. > > > > IMAPS runs with the old self-signed certificate, but I > obviously don't > >want to include the private key in the .pem file; and when I include > >only the certificate itself, IMAP simply refuses to run (I > did trim the > >verbose info out of the .pem file, leaving only the > certificate section > >-- it didn't help). The certificate in question is configured as a > >non-CA cert with 'Server,email' type. > > > > Does anyone have any idea about what is going on? Could > the matter be > >helped by including various data from the configuration files or the > >certificates? (I generated them all verbose, with '-text' option)? I > >include below the relevant info from the final .pem file, > let me know > >if something else would help. > > > > Many thanks in advance. > > > >P.S. is there a problem with not including the CN field in the > >self-signed CA certificate? I figured that CN makes no sense > for a CA > >certificate, but I don't know much about SSL anyway... > > > >Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 9 (0x9) > > Signature Algorithm: dsaWithSHA1 > > Issuer: C=US, ST=Massachusetts, L=Amherst, > O=University of Massachusetts/Amherst, OU=Department of > Computer Science > > Validity > > Not Before: Aug 14 16:58:25 2002 GMT > > Not After : Aug 14 16:58:25 2003 GMT > > Subject: C=US, ST=Massachusetts, O=University of > Massachusetts/Amherst, OU=Department of Computer Science, > CN=(loki.|mail.|www.|)cs.umass.edu, CN=loki.cs.umass.edu, > CN=mail.cs.umass.edu, CN=www.cs.umass.edu, CN=cs.umass.edu > > Subject Public Key Info: > > Public Key Algorithm: dsaEncryption > > DSA Public Key: > > pub: > > 42:8f:1a:f4:6e:9f:e1:5a:8f:d6:22:22:77:3c:9f: > > 76:98:38:75:7e:a7:5d:f6:89:2b:d5:45:67:01:77: > > 7a:80:cc:16:65:9c:67:78:a3:69:f0:f9:30:24:13: > > 33:5c:07:a3:24:b9:c8:9c:a0:3a:8f:36:a2:6d:36: > > 9a:c4:6e:8a:aa:c5:d0:3c:d1:40:66:5e:cc:cb:03: > > 25:1e:8a:d6:22:d8:4e:0a:c8:99:d8:ef:f3:8a:11: > > d4:2d:ab:5b:99:3a:4d:d2:8a:ea:4d:7e:46:bc:ae: > > 56:b3:9b:15:66:90:79:f4:90:40:a1:0c:0e:ce:27: > > de:4e:42:52:f9:4a:8a:98 > > P: > > 00:b9:cc:0b:5f:79:e4:6d:3b:49:60:5e:d0:be:02: > > 08:fc:71:2d:01:22:36:64:e4:44:75:96:66:15:0b: > > 80:3e:98:e8:3e:a7:10:7f:06:c9:3d:8a:85:fe:94: > > 86:3d:80:d6:e7:6b:95:29:88:5b:82:25:85:ec:5f: > > 49:56:13:f4:61:71:6e:1c:c9:d1:ac:b0:94:93:62: > > e9:2e:08:15:fc:7c:76:9a:02:74:52:6d:9a:b6:3b: > > 10:45:6f:30:36:16:76:13:26:eb:99:79:3e:44:34: > > 5d:1a:53:8e:0b:53:1f:11:4c:8f:e3:1c:6c:58:d4: > > 35:88:28:90:99:b4:7e:ab:b5 > > Q: > > 00:d9:a6:2f:f5:7a:f5:c5:6c:c8:30:fc:39:62:2e: > > 40:cd:31:a9:ce:5d > > G: > > 00:99:d9:0b:81:bc:01:cb:2f:9a:fa:66:4b:db:ba: > > f2:a5:bc:53:a3:55:76:7b:fc:d3:54:1c:29:d3:47: > > dc:27:70:34:1c:1f:a8:d9:99:d1:5c:2c:77:b9:da: > > 97:aa:ab:1f:63:99:9a:af:4f:82:b9:6e:4c:96:54: > > 90:8d:2b:09:6b:d1:7b:c4:64:5c:1d:0e:e0:2f:f0: > > e3:e1:b5:42:83:09:e9:de:2a:6d:5f:53:2b:41:d8: > > c8:5f:b3:25:bd:ad:96:58:5c:5c:3c:64:fe:df:87: > > 17:5c:64:64:63:d2:b2:b2:8a:fb:21:09:58:50:d9: > > 28:96:c4:c2:3e:fc:97:68:85 > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > > DB:F9:ED:42:4E:B9:D8:32:92:32:A4:85:B9:23:55:57:A9:D9:94:DA > > X509v3 Authority Key Identifier: > > > keyid:DB:F9:ED:42:4E:B9:D8:32:92:32:A4:85:B9:23:55:57:A9:D9:94:DA > > > DirName:/C=US/ST=Massachusetts/L=Amherst/O=University of > Massachusetts/Amherst/OU=Department of Computer Science > > serial:00 > > > > Netscape Cert Type: > > SSL Server, S/MIME > > X509v3 Basic Constraints: > > CA:FALSE > > Netscape CA Revocation Url: > > https://loki.cs.umass.edu/cert-info/ca.crl > > Netscape Revocation Url: > > https://loki.cs.umass.edu/cert-info/cert.crl > > Signature Algorithm: dsaWithSHA1 > > 30:2c:02:14:5c:ec:15:89:6b:e7:20:fc:41:dd:62:6c:f7:46: > > 2a:ca:ed:f8:8c:7d:02:14:23:d4:87:f2:2b:70:f5:b2:6f:63: > > 13:ac:d4:3d:2c:89:f6:81:35:04 > >-----BEGIN CERTIFICATE----- > >MIIFUjCCBRCgAwIBAgIBCTALBgcqhkjOOAQDBQAwgY4xCzAJBgNVBAYTAlVTMRYw > >FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdBbWhlcnN0MSwwKgYDVQQK > >EyNVbml2ZXJzaXR5IG9mIE1hc3NhY2h1c2V0dHMvQW1oZXJzdDEnMCUGA1UECxMe > >RGVwYXJ0bWVudCBvZiBDb21wdXRlciBTY2llbmNlMB4XDTAyMDgxNDE2NTgyNVoX > >DTAzMDgxNDE2NTgyNVowggEQMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2Fj > >aHVzZXR0czEsMCoGA1UEChMjVW5pdmVyc2l0eSBvZiBNYXNzYWNodXNldHRzL0Ft > >aGVyc3QxJzAlBgNVBAsTHkRlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEo > >MCYGA1UEAxQfKGxva2kufG1haWwufHd3dy58KWNzLnVtYXNzLmVkdTEaMBgGA1UE > >AxMRbG9raS5jcy51bWFzcy5lZHUxGjAYBgNVBAMTEW1haWwuY3MudW1hc3MuZWR1 > >MRkwFwYDVQQDExB3d3cuY3MudW1hc3MuZWR1MRUwEwYDVQQDEwxjcy51bWFzcy5l > >ZHUwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAucwLX3nkbTtJYF7QvgII/HEtASI2 > >ZOREdZZmFQuAPpjoPqcQfwbJPYqF/pSGPYDW52uVKYhbgiWF7F9JVhP0YXFuHMnR > >rLCUk2LpLggV/Hx2mgJ0Um2atjsQRW8wNhZ2EybrmXk+RDRdGlOOC1MfEUyP4xxs > >WNQ1iCiQmbR+q7UCFQDZpi/1evXFbMgw/DliLkDNManOXQKBgQCZ2QuBvAHLL5r6 > >ZkvbuvKlvFOjVXZ7/NNUHCnTR9wncDQcH6jZmdFcLHe52peqqx9jmZqvT4K5bkyW > >VJCNKwlr0XvEZFwdDuAv8OPhtUKDCeneKm1fUytB2MhfsyW9rZZYXFw8ZP7fhxdc > >ZGRj0rKyivshCVhQ2SiWxMI+/JdohQOBhAACgYBCjxr0bp/hWo/WIiJ3PJ92mDh1 > >fqdd9okr1UVnAXd6gMwWZZxneKNp8PkwJBMzXAejJLnInKA6jzaibTaaxG6KqsXQ > >PNFAZl7MywMlHorWIthOCsiZ2O/zihHULatbmTpN0orqTX5GvK5Ws5sVZpB59JBA > >oQwOzifeTkJS+UqKmKOCAXcwggFzMB0GA1UdDgQWBBTb+e1CTrnYMpIypIW5I1VX > >qdmU2jCBuwYDVR0jBIGzMIGwgBTb+e1CTrnYMpIypIW5I1VXqdmU2qGBlKSBkTCB > >jjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcT > >B0FtaGVyc3QxLDAqBgNVBAoTI1VuaXZlcnNpdHkgb2YgTWFzc2FjaHVzZXR0cy9B > >bWhlcnN0MScwJQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2WC > >AQAwEQYJYIZIAYb4QgEBBAQDAgVgMAkGA1UdEwQCMAAwOQYJYIZIAYb4QgEEBCwW > >Kmh0dHBzOi8vbG9raS5jcy51bWFzcy5lZHUvY2VydC1pbmZvL2NhLmNybDA7Bglg > >hkgBhvhCAQMELhYsaHR0cHM6Ly9sb2tpLmNzLnVtYXNzLmVkdS9jZXJ0LWluZm8v > >Y2VydC5jcmwwCwYHKoZIzjgEAwUAAy8AMCwCFFzsFYlr5yD8Qd1ibPdGKsrt+Ix9 > >AhQj1IfyK3D1sm9jE6zUPSyJ9oE1BA== > >-----END CERTIFICATE----- > > > > > > -- > | Victor Danilchenko +---------------------+ > [EMAIL PROTECTED] | > | He who laughs last, | > | CSCF | 5-4231 | thinks slowest. | > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
