On 19/01/11 19:07 +0100, Marcus Schopen wrote: >Hi, > >I've to build a new SSL certificate for my cyrus 2.2.13. I'm using a >Thawte SSL123 certificate. Since the CAs changed to intermediate >certificates, I'd like to be sure to do the right steps for an update >and not running into problems with imaps and pop3s clients: > >1. modify /etc/imapd.conf. Using tls_ca_file for the intermediate >certificate file: > > tls_cert_file: /etc/mail/tls/mx.myserver.de.thawte.crt > tls_key_file: /etc/mail/tls/mx.myserver.de.thawte.key > tls_ca_file: /etc/ssl/certs/SSL123_CA_Bundle.pem > tls_ca_path: /etc/ssl/certs We use Digicert here, which uses an intermediate certificate. Our configuration is the same: tls_cert_file: /etc/ssl/certs/file.crt tls_key_file: /etc/ssl/private/file.key tls_ca_file: /etc/ssl/certs/DigiCertCA.crt tls_ca_path: /etc/ssl/certs > I've found a howto on the thawte.nl website > > http://www.thawte.nl/fr/support/manuals/cyrus/cyrus+imap+server/install >+certificate/ > > which puts private key, certification and the intermediate certificate >file in one .pem file and uses this combined file for tls_cert_file, >tls_key_file and tls_ca_file. Good way? We have not had to do that. >4. do I have to remove /var/lib/cyrus/tls_sessions.db ? I don't think so. We've renewed/reinstalled our certificate a couple of times over the years and have not had to do anything but a restart. A restart may not even be necessary if both the old and new certificates are valid, and your imapd sessions cycle out over time (via timeout, or the -U option). -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
