On Sun, Dec 31, 2006, M. Fioretti wrote: > On Sun, Dec 31, 2006 00:59:54 AM +0100, Dr. Stephen Henson > ([EMAIL PROTECTED]) wrote: > > > > Well the error you are getting is because the certificate > > verification failed. One reason could be because the certs dir > > isn't set up properly > > Sorry, what do you mean by "set up properly"? Some specific userid or > something else? > > > or the self signed server certificate is not readable to the > > fetchmail process. > > that dir and its files are world readable, I just checked. > > > A third possibility is that the server certificate has inappropriate > > extensions. > > which extensions, exactly? >
Well try the command: openssl verify -purpose sslclient -CApath /path/to/certs_dir server.pem with the appropriate filenames. > > I looked at the document at: > > > > http://wanderingbarque.com/howtos/mailserver/mailserver.html > > > > it mentions how to generate a certificate but using the older CA.sh > > shell script. The CA.pl perl script the is more up to date version. > > Weird. There is no such script in the official RPM for Centos 4.4: > > # rpm -q openssl > openssl-0.9.7a-43.14 > > Should I file a bug report somewhere?? > That's a vendor specific version of OpenSSL rather than an official release. There should be a script CA.pl.in which gets installed as CA.pl in the same location as CA.sh. You can get it from the official 0.9.7 distribution. > > I can't see any mention of creating a self signed certificate there > > other than as in indirect consequence of the -newca option. The > > procedure there is to generate a root CA to sign other certificates > > with. > > > > If you want to just generate a self signed certificate and key you > > can use the single command: > > > > openssl req -x509 -out sscert.pem -new -nodes -keyout sskey.pem -days 3650 > > > > Hmmm, I see. So, if I cancel all the certs I've used so far and rerun > that command on my server I should get _one_ couple {certificate / > private key} which I can use for all these purposes: > > serve secure web pages from that server > download email from that server via secure imap > send email securely from my home mail client to the postfix running on > that server > > right? > Well you don't need to "cancel" them as such, just stop using them. It is also a good idea to use different keys and certificates for different applications if possible because if one is compromised then the others aren't. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
