| | 1 | = How are x509 certificates and key files handled on MOSH servers? = |
| | 2 | |
| | 3 | [wiki:MOSH MOSH servers] are configured to provide apache, postfix and courier services on a single server. |
| | 4 | |
| | 5 | All three programs rely on the same x509 certificates and the same keys, however, they reference these keys in three different ways. |
| | 6 | |
| | 7 | All MOSH servers should have the following files: |
| | 8 | |
| | 9 | * /etc/ssl/HOST.mayfirst.org.crt: contains both the TLS certificate and any required intermediary files (server cert first, intermediary second) |
| | 10 | * /etc/ssl/private/HOST.mayfirst.org.pem: contains both the key file and the TLS certificate and any required intermediary files (in that order) |
| | 11 | |
| | 12 | If, for some reason, the MOSH server is using a common name other than HOST.mayfirst.org (e.g. secure.critpath.org is used instead of didier.mayfirst.org), then the files should be named after the common name (secure.critpath.org) and HOST.mayfirst.org should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting. |
| | 13 | |
| | 14 | = Service configuration = |
| | 15 | |
| | 16 | * courier: /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl should have TLS_CERTFILE variable set to /etc/ssl/private/HOST.mayfirst.org.pem |
| | 17 | * apache: /etc/apache2/sites-available/HOST.mayfirst.org.ssl should have SSLCertificateFile and SSLCertificateChainFile both set to /etc/ssl/didier.mayfirst.org.crt and SSLCertificateKeyFile set to /etc/ssl/private/HOST.mayfirst.org.pem |
| | 18 | * postfix: /etc/postfix/main.cf should have smtpd_tls_cert_file set to /etc/ssl/didier.mayfirst.org.crt and smtpd_tls_key_file set to /etc/ssl/private/HOST.mayfirst.org.pem |
