On Fri, 20 Dec 2002, Andy Mell wrote:
> Might seem obvious to you, but the documentation I was reading implied
> that certificates were picked up from /usr/local/ssl/certs by default and
> the full path was not required.
Noted for emphasis in the Exim manual.
> This TLS/SSL really isnt documented very well is it.
Nope.
> The next problem I had was when STARTTLS was sent, the server asked for
> the PEM Passphrase, which broke the SMTP dialogue somewhat. Nowhere does
> it say in any docs that the private key has to be unencrypted... Most
> recommend that it is encrypted. Once that was fixed it worked.
In the Exim manual, I say this:
------------------------------------------------------------------------------
You can create a self-signed certificate using the "req" command provided with
OpenSSL, like this:
openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \
-days 9999 -nodes
file1 and file2 can be the same file; the key and the certificate are
delimited and so can be identified independently. The -days option specifies a
period for which the certificate is valid. The -nodes option is important: if
you do not set it, the key is encrypted with a passphrase that you are
prompted for, and any use that is made of the key causes more prompting for
the passphrase. This is not helpful if you are going to use this certificate
and key in an MTA, where prompting is not possible.
------------------------------------------------------------------------------
Maybe I should emphasize that bit about the passphrase some more as well...
> The next problem I had was certificate chains to establish trust to the
> root CA did not work. I established that each certificate must have one
> line in between each begin and end statement, and they need to be in the
> right order, server certificate first, root CA last. The line between
> each certificate in the chain wasnt documented anywhere.
Didn't know about the blank line, but again, the Exim manual says:
------------------------------------------------------------------------------
Multiple certificates must be in the correct order in the file. First the |
host's certificate itself, then the first intermediate certificate to validate |
the issuer of the host certificate, then the next intermediate certificate to |
validate the issuer of the first intermediate certificate, and so on, until |
finally (optionally) the root certificate.
------------------------------------------------------------------------------
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
