Cyrus IMAPでの証明書 - 気紛

Cyrusで使う証明書、毎回悩むのでここに忘備録として記す。

% openssl req -new -x509 -days 1095 -nodes -out server-cert.pem -keyout  server-key.pem -config <設定ファイル>
% cat server-cert.pem server-key.pem > server.pem
% openssl x509 -in server.pem -text |lv  <-- 確認

keyを一つにまとめる必要はないんだけどね。ユーザに渡すときは、server.pemじゃなくて、server-cert.pemだけでよい。

んで、設定ファイルの中身。

[ ca ]
default_ca        = CA_default
x509_extensions   = usr_cert

[ CA_default ]
dir               = /home/shirou/imap_cert
certs             = $dir/certs
crl_dir           = $dir/crl
# CA_DB             =
new_certs_dir     = $dir/newcerts
certificate       = $dir/cert.pem
serial            = $dir/serial
crl               = $dir/crl.pem
private_key       = $dir/private/key.pem
database          = $dir/index.txt
# RANDFILE          =

default_days      = 1095
# default_startdate =
# default_enddate   =
default_crl_days  = 1095
# default_crl_hours =
default_md        = md5
# preserve          = no
policy            = policy_match
x509_extensions   = x509v3_extensions
#copy_extensions = copy

# crl_extensions    =
# msie_hack         =

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
# default_keyfile         =
distinguished_name      = req_distinguished_name
attributes              = req_attributes
# x509_extensions         =

[ req_distinguished_name ]
countryName                  = Country Name (2 letter code)
stateOrProvinceName          = State or Province Name (full name)
localityName                 = Locality Name (eg, city)
0.organizationName           = Organization Name (eg, company)
1.organizationName           = Second Organization Name (eg, company)
organizationalUnitName       = Organizational Unit Name (eg, section)
commonName                   = Common Name (eg, YOUR name)
emailAddress                 = Email Address

countryName_value            = JP
stateOrProvinceName_value    = Kanagawa
localityName_value           = Somewhere
0.organizationName_value     = SomeOrg
1.organizationName_value     =
organizationalUnitName_value = example
commonName_value             = imap.example.com
emailAddress_value           = shirou@example.com

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = sslCA, emailCA, server, client, email, objsign
# nsCertType = objsign
# nsCertType = client, email
# nsCertType = client, email, objsign
# nsComment                     = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ x509v3_extensions ]
subjectKeyIdentifier=hash
subjectAltName = DNS:imap.example.com
issuerAltName = DNS:imap.example.com
#issuerAltName = issuer:copy
basicConstraints = CA:true
nsCertType = sslCA, emailCA, server, client, email, objsign