README.SSL (5702B)
1 This documentation is free software; you can redistribute it and/or 2 modify it under the terms of the GNU General Public License as 3 published by the Free Software Foundation; either version 2 of the 4 License, or (at your option) any later version. 5 6 You should have received a copy of the GNU General Public License 7 along with this program; if not, write to the Free Software 8 Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA. 9 10 ========================================================================= 11 12 Quick guide to SSL certificates with Binc IMAP. 13 14 Table of contents: 15 16 0. Introduction 17 1. To generate a private key and certificate request 18 2. To generate a private key and self-signed certificate 19 3. To generate a private key and CA signed certificate, acting as 20 one's own CA. 21 22 For more information, check out the project home page's FAQ and 23 the Life With Binc IMAP community documentation site: 24 25 http://www.lifewithbincimap.org/ 26 27 ========================================================================= 28 29 0. Introduction 30 --------------- 31 32 The are two ways to enable SSL on Binc IMAP. One is to use an SSL 33 tunnel (http://www.stunnel.org/), the other is to use Binc IMAP's 34 native SSL support. If you compiled Binc with SSL support, the latter 35 is much easier to set up. 36 37 To use SSL with Binc IMAP, you need a private key and a certificate. 38 39 A private key is a random string of bits that is secret to your host. 40 If this key is compromised, your SSL server will no longer provide 41 significant security for your users. 42 43 The certificate is among the first things the server sends to a 44 client. The client uses this certificate to make certain that it is 45 communicating with the correct host. To do this, it needs to check the 46 certificate with a trusted third party certificate, known as a CA 47 certificate. 48 49 There are in general two types of certificates: 50 51 - CA signed certificates 52 - Self signed certificates 53 54 CAs, or Certificate Authorities, are used by clients to verify the 55 authenticity of a certificate. If you want an official CA to verify 56 your certificate, you need to send a "certificate request". Usually 57 for a certain price, a signed certificate is returned to you. If you 58 do not wish to use an official CA, you can act as your own CA and 59 create your own CA signed certificates. 60 61 A certificate is not valid unless it is signed. If it is self signed, 62 the clients can not verify its identity. In that sense, a self signed 63 certificate is only useful in a test environment. The client can not 64 identify the server if the server uses a self-signed certificate. 65 66 The general idea is: 67 68 * If you are testing an SSL enabled server, generate a self-signed 69 test certificate. 70 71 * If you want to provide an SSL enabled service on a closed network, 72 create a CA certificate and a signed host certificate, then install 73 the CA certificate on all clients on the network. 74 75 * If you want to provide an SSL enabled service on an open network 76 such as the Internet, use an official CA to sign your certificate. 77 78 1. To generate a private key and certificate request 79 ---------------------------------------------------- 80 81 Quick hit: "make cert". 82 83 To generate a private key and a certificate request, the following 84 openssl command can be used: 85 86 openssl req -newkey rsa:1024 -keyout bincimap.key -nodes -days 365 -out bincimap.crq 87 88 Inside bincimap.crq is a certificate request in PEM encoding, which 89 basically means the certificate is base64 encoded and enclosed in a 90 start string that says "BEGIN CERTIFICATE REQUEST" and an end string 91 that says "END CERTIFICATE REQUEST". 92 93 Submit this request file to a CA such as Thawte 94 (http://www.thawte.com/) or Verisign (http://www.verisign.com/). When 95 you receive the signed certificate from them, store this in a file 96 called bincimap.crt. 97 98 The file contains the PEM encoded certificate, and it is enclosed in 99 a start string that says "BEGIN CERTIFICATE" and an end string that 100 says "END CERTIFICATE". 101 102 Copy the contents of both these files into a file called 103 "bincimap.pem" and place this file at a location that is read-only for 104 the bincimap-up process (typically root). 105 106 Then edit bincimap.conf, go to the SSL section and set the path of 107 this file in the "pem file" option. 108 109 You're now ready to use Binc IMAP with SSL. 110 111 2. To generate a private key and self-signed certificate 112 -------------------------------------------------------- 113 114 Quick hit: "make testcert". 115 116 To generate a private key and a self-signed certificate, the following 117 openssl command can be used: 118 119 openssl req -newkey rsa:1024 -keyout bincimap.key -x509 -nodes -days 365 -out bincimap.crt 120 121 Copy the contents of the generated bincimap.key and bincimap.crt files 122 into a file called "bincimap.pem" and place this file at a location 123 that is read-only for the bincimap-up process (typically root). 124 125 Then edit bincimap.conf, go to the SSL section and set the path of 126 this file in the "pem file" option. 127 128 You're now ready to test Binc IMAP with SSL. 129 130 3. To generate a private key and CA signed certificate, acting as 131 one's own CA. 132 ------------------------------------------------------------------ 133 134 Look up the guides on LifeWithBincIMAP.org: 135 136 http://lifewithbincimap.org/index.php/Main/DoItYourselfCertificateAuthority 137 http://lifewithbincimap.org/index.php/Main/SettingUpYourOwnSSLCertificationAuthority 138 139 You're now ready to use Binc IMAP with SSL. 140 141 Happy IMAPing! 142 Andy :-) 143 144 ========================================================================= 145 Tell us what you think about this server! Post any problems, remarks 146 or comments to: 147 148 The Binc IMAP mailing list <lists-bincimap@infeline.org> 149 150 Author: Andreas Aardal Hanssen <andreas-binc at bincimap.org>