[Kolab-devel] Configuration in PREFIX/etc/kolab/kolab-ssl.cnf ?

Thomas Ribbrock itsef_admin at itsef.com
Wed Jan 18 14:46:32 CET 2006


Hi!

Usually, I limit myself to kolab-user, but this time I ran into
something which is most likely a design/development question, hence, I
hope this is the right place to ask... :-}

Background:
I'm currently investigating how to get our kolab server to require
client certificates when connecting via https. We want to make the admin
interface and squirrelmail (which also runs on that machine) accessible
on the outside - but only to our own employees who have been issued a
suitable certificate. This has been working nicely with our old SLOX
setup and it would be great, if we could continue to do so.

Problem/Question:
I found many "HOWTO's" and tips as to how to create the client
certificates. In the beginning, I thought that it has to be easy, as
kolab already creates the corresponding CA and server certificates.
However, if I try to use the 'standard' way of creating the client certs
(see e.g. http://www.openssl.org/docs/HOWTO/certificates.txt), the
creation of the "certificate request" fails with: "error, no objects
specified in config file". When I tried to solve this, I discovered that
/kolab/etc/kolab/kolab-ssl.cfn is quite different from the standard
openssl.cnf that usually comes with openssl. One thing I noticed is the
lack of a lot of definitions in [ req_distinguished_name ] and if I
start re-adding and messing with those, it will work at some point.

However, I assume that there was a reason to change kolab-ssl.cnf
compared to openssl.cnf. Hence, lacking deeper knowledge about SSL, I'm
hesitant to just reverse some of those changes and generally mess with
the settings. Therefore, my question: Can someone shed some light on
this - why is kolab-ssl.cnf the way it is? Or is that cnf file suitable
for CA generation *only*?

I've already searched kolab.org, the Wiki and even went to the CVS
browser (I hoped to find some comment in the history of kolab_ca.sh...),
but no hints. Neither did I find any docs about kolab_ca.sh or about
using certs under kolab in general - hence this mail...

Thanks in advance,

Thomas
-- 
==============================================================================
              Thomas Ribbrock         |   TNO ITSEF BV             
              itsef_admin at itsef.com   |   Delftechpark 1
              +31-15-2692529          |   NL-2628XJ Delft  	




More information about the devel mailing list