Am Mittwoch, den 19.01.2011, 12:53 -0600 schrieb Dan White: > On 19/01/11 19:07 +0100, Marcus Schopen wrote: > >Hi, > > > >I've to build a new SSL certificate for my cyrus 2.2.13. I'm using a > >Thawte SSL123 certificate. Since the CAs changed to intermediate > >certificates, I'd like to be sure to do the right steps for an update > >and not running into problems with imaps and pop3s clients: > > > >1. modify /etc/imapd.conf. Using tls_ca_file for the intermediate > >certificate file: > > > > tls_cert_file: /etc/mail/tls/mx.myserver.de.thawte.crt > > tls_key_file: /etc/mail/tls/mx.myserver.de.thawte.key > > tls_ca_file: /etc/ssl/certs/SSL123_CA_Bundle.pem > > tls_ca_path: /etc/ssl/certs > > We use Digicert here, which uses an intermediate certificate. Our > configuration is the same: > > tls_cert_file: /etc/ssl/certs/file.crt > tls_key_file: /etc/ssl/private/file.key > tls_ca_file: /etc/ssl/certs/DigiCertCA.crt > tls_ca_path: /etc/ssl/certs > > > I've found a howto on the thawte.nl website > > > > http://www.thawte.nl/fr/support/manuals/cyrus/cyrus+imap+server/install > >+certificate/ > > > > which puts private key, certification and the intermediate certificate > >file in one .pem file and uses this combined file for tls_cert_file, > >tls_key_file and tls_ca_file. Good way? > > We have not had to do that. > > >4. do I have to remove /var/lib/cyrus/tls_sessions.db ? > > I don't think so. We've renewed/reinstalled our certificate a couple of > times over the years and have not had to do anything but a restart. A > restart may not even be necessary if both the old and new certificates are > valid, and your imapd sessions cycle out over time (via timeout, or the -U > option). That is an interesting point. I try to avoid a restart as often as I can. Did you or some else test a change without a restart? Ciao, Marcus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
