This documentation is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA. ========================================================================= Quick guide to SSL certificates with Binc IMAP. Table of contents: 0. Introduction 1. To generate a private key and certificate request 2. To generate a private key and self-signed certificate 3. To generate a private key and CA signed certificate, acting as one's own CA. For more information, check out the project home page's FAQ and the Life With Binc IMAP community documentation site: http://www.lifewithbincimap.org/ ========================================================================= 0. Introduction --------------- The are two ways to enable SSL on Binc IMAP. One is to use an SSL tunnel (http://www.stunnel.org/), the other is to use Binc IMAP's native SSL support. If you compiled Binc with SSL support, the latter is much easier to set up. To use SSL with Binc IMAP, you need a private key and a certificate. A private key is a random string of bits that is secret to your host. If this key is compromised, your SSL server will no longer provide significant security for your users. The certificate is among the first things the server sends to a client. The client uses this certificate to make certain that it is communicating with the correct host. To do this, it needs to check the certificate with a trusted third party certificate, known as a CA certificate. There are in general two types of certificates: - CA signed certificates - Self signed certificates CAs, or Certificate Authorities, are used by clients to verify the authenticity of a certificate. If you want an official CA to verify your certificate, you need to send a "certificate request". Usually for a certain price, a signed certificate is returned to you. If you do not wish to use an official CA, you can act as your own CA and create your own CA signed certificates. A certificate is not valid unless it is signed. If it is self signed, the clients can not verify its identity. In that sense, a self signed certificate is only useful in a test environment. The client can not identify the server if the server uses a self-signed certificate. The general idea is: * If you are testing an SSL enabled server, generate a self-signed test certificate. * If you want to provide an SSL enabled service on a closed network, create a CA certificate and a signed host certificate, then install the CA certificate on all clients on the network. * If you want to provide an SSL enabled service on an open network such as the Internet, use an official CA to sign your certificate. 1. To generate a private key and certificate request ---------------------------------------------------- Quick hit: "make cert". To generate a private key and a certificate request, the following openssl command can be used: openssl req -newkey rsa:1024 -keyout bincimap.key -nodes -days 365 -out bincimap.crq Inside bincimap.crq is a certificate request in PEM encoding, which basically means the certificate is base64 encoded and enclosed in a start string that says "BEGIN CERTIFICATE REQUEST" and an end string that says "END CERTIFICATE REQUEST". Submit this request file to a CA such as Thawte (http://www.thawte.com/) or Verisign (http://www.verisign.com/). When you receive the signed certificate from them, store this in a file called bincimap.cert. The file contains the PEM encoded certificate, and it is enclosed in a start string that says "BEGIN CERTIFICATE" and an end string that says "END CERTIFICATE". Then edit bincimap-config and set the full filename and path to your certificate file and your private key file. You're now ready to use Binc IMAP with SSL. 2. To generate a private key and self-signed certificate -------------------------------------------------------- Quick hit: "make testcert". To generate a private key and a self-signed certificate, the following openssl command can be used: openssl req -newkey rsa:1024 -keyout bincimap.key -x509 -nodes -days 365 -out bincimap.cert Then edit bincimap-config and set the full filename and path to your certificate file and your private key file. You're now ready to test Binc IMAP with SSL. 3. To generate a private key and CA signed certificate, acting as one's own CA. ------------------------------------------------------------------ Look up the guides on LifeWithBincIMAP.org: http://lifewithbincimap.org/index.php/Main/DoItYourselfCertificateAuthority http://lifewithbincimap.org/index.php/Main/SettingUpYourOwnSSLCertificationAuthority You're now ready to use Binc IMAP with SSL. Happy IMAPing! Andy :-) ========================================================================= Tell us what you think about this server! Post any problems, remarks or comments to: The Binc IMAP mailing list Author: Andreas Aardal Hanssen