Cyrus IMAPでの証明書
Cyrusで使う証明書、毎回悩むのでここに忘備録として記す。
% openssl req -new -x509 -days 1095 -nodes -out server-cert.pem -keyout server-key.pem -config <設定ファイル> % cat server-cert.pem server-key.pem > server.pem % openssl x509 -in server.pem -text |lv <-- 確認
keyを一つにまとめる必要はないんだけどね。ユーザに渡すときは、server.pemじゃなくて、server-cert.pemだけでよい。
んで、設定ファイルの中身。
[ ca ] default_ca = CA_default x509_extensions = usr_cert [ CA_default ] dir = /home/shirou/imap_cert certs = $dir/certs crl_dir = $dir/crl # CA_DB = new_certs_dir = $dir/newcerts certificate = $dir/cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/key.pem database = $dir/index.txt # RANDFILE = default_days = 1095 # default_startdate = # default_enddate = default_crl_days = 1095 # default_crl_hours = default_md = md5 # preserve = no policy = policy_match x509_extensions = x509v3_extensions #copy_extensions = copy # crl_extensions = # msie_hack = [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 # default_keyfile = distinguished_name = req_distinguished_name attributes = req_attributes # x509_extensions = [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 1.organizationName = Second Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) emailAddress = Email Address countryName_value = JP stateOrProvinceName_value = Kanagawa localityName_value = Somewhere 0.organizationName_value = SomeOrg 1.organizationName_value = organizationalUnitName_value = example commonName_value = imap.example.com emailAddress_value = shirou@example.com [ usr_cert ] basicConstraints=CA:FALSE nsCertType = sslCA, emailCA, server, client, email, objsign # nsCertType = objsign # nsCertType = client, email # nsCertType = client, email, objsign # nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ x509v3_extensions ] subjectKeyIdentifier=hash subjectAltName = DNS:imap.example.com issuerAltName = DNS:imap.example.com #issuerAltName = issuer:copy basicConstraints = CA:true nsCertType = sslCA, emailCA, server, client, email, objsign