You are not logged in.
- Topics: Active | Unanswered
#1 2011-03-18 16:00:10
- Carlwill
- Member
- From: Orlando, FL
- Registered: 2008-10-06
- Posts: 560
- Website
SSL Certificates For Mail?
I need to use TLS authentication for SMTP and IMAP4 (Postfix 2.8 & Dovecot 2.x) however I don't know really what the best level would be. I did some searching and am very confused between people generating a CSR, CRT, & KEY or then I see some people generate a .PEM for both the CRT (public) and a .PEM for the KEY (private). I don't know or understand the difference between the two kinds. Can someone please tell me what I should be using? I do know that I have OpenSSL to generate a 256 bit encryption key however.
./
Offline
#2 2011-03-22 00:04:38
- rhavenn
- Member
- Registered: 2011-03-13
- Posts: 5
Re: SSL Certificates For Mail?
PEM files are the CRT and KEY file combined and are normally used more often on a MS server. I find it easier to keep the 2 separate. So, assuming you want to get a real cert, ie: pay for one, you would do following:
1) generate a key
2) generate a CSR (certificate signing request)
3) pay your favorite SSL provider (Digicert is a good choice)
4) get a CRT (actual certificate linked to the key file above; you need both pieces)
Using openssl you would do:
cmdline> openssl genrsa -out hostname.domain.com.key 4096
cmdline> openssl req -new -key hostname.domain.com.key -out hostname.domain.com.csrUpload the generated CSR and off you go. You will want to match the CSR info to the WHOIS info on your domain.
It is possible to self-sign certs as well. A good link is this one: http://www.akadia.com/services/ssh_test … icate.html
note: you can skip Step 3 if you remove the -des3 from Step 1. This will allow you to start-up a service without entering a password.
note2: most cert providers want at least 2048-bit keys these days. I just do 4096 and call it good.
Offline