Chris Searle

For more info on the debian security announcement see:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

Server keys for this host have been updated - any ssh users may well need to remove the old ones from their .known_hosts file (or equivalent). Just to let them know that the keys are changed and intentionally so.

Technorati Tags: debian ssh ssl English

I was experiencing odd things integrating to google maps - although I have both an API key for http and https - only https was working.

It turns out that the setting of the apache environment variable SERVER_PORT was always 443 irrespective of whether I was using http/80 or https/443 from the client.

Technorati Tags: apache2 namevirtualhost php ssl English

There are several reasons you may need to add a self-signed https ssl certificate to your local java keystore.

For me - its so that maven can access DAV shares for repository deployment.

Technorati Tags: java keystore keytool maven ssl webdav English

Cargo culted direct from the exim site.

openssl req -x509 -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.crt -days 9999 -nodes

The really important bit is that the common name (CN) field must be the server name (at least so it seems to be for me)

Don't forget - if your pop3 and imap certificates also expire at the same time to renew them to.

Technorati Tags: exim4 ssl English

Mail.app wouldn't stop asking about the certificates.

So:

1. Remove any instances of them from Keychain Access
2. Try to get mail - when told about the certificate choose View certificate and drag the icon to the desktop
3. Don't add the cert to your login keychain - drag it to the X509Anchors chain instead.
4. Mark it as always trusted (after all - you trust yourself don't you?)
5. Repeat 2. - 4. for sending mail.

Bingo! Well - works4me at least.

Technorati Tags: courier exim4 imap mac ssl tls English

I was using courier-imap and courier-pop until today. I've just installed the -ssl versions of both.

At install they both create a certificate for localhost based in New York. This doesn't work unless it really is localhost.

In /etc/courier there are imapd.pem, imapd.cnf, pop3d.pem and pop3d.cnf

1. Delete the .pem files
2. Edit the .cnf files - make sure that you set CN to be the hostname or the mail server
3. Run mkimapdcert
4. Run mkpop3dcert
5. Restart the services

I left the non-ssl IMAP running but only for 127.0.0.1 for squirrel

Technorati Tags: courier debian imap pop3 ssl English

There are two kinds of certificates available - self-certified (free - but people will have to either accept the certificate or manually install it) or paid for (you buy it from a Certificate Authority and as long as that CA is a common one then it will just work in most browsers).

First you will need a private key:

cd /etc/ssl
openssl genrsa -des3 -out private/your.domain.tld.key 2048

Drop the -des3 if you don't want a password (this will allow auto-startup of apache - but is much much less secure). Note - if you are going to purchase a certificate - check how many bits the provider wants you to use.

Technorati Tags: apache2 debian ssl English

Just a note to self - to generate a new certificate

openssl req -new -key /etc/ssl/private/keyfile -x509 -days nnn -out /etc/apache2/ssl/certfile

Technorati Tags: apache2 linux ssl English