[Kolab-devel] Configuration in PREFIX/etc/kolab/kolab-ssl.cnf ?

Bernhard Reiter bernhard at intevation.de
Mon Jan 23 10:38:13 CET 2006 

HI Thomas,

Am Mittwoch, 18. Januar 2006 14:46 schrieb Thomas Ribbrock:
> I'm currently investigating how to get our kolab server to require
> client certificates when connecting via https. 

> Problem/Question:
> I found many "HOWTO's" and tips as to how to create the client
> certificates. In the beginning, I thought that it has to be easy, 

all the time when I messed with OpenSSL I found it to be a
bit of a black art in that it is quite hard to create anything
that will reasonaly work in real life.
This is because X509 was broken by a lot of partly redesign attempts,
I recomment Peter Gutmann's Guide to X509 if you are interested
in following this general aspect.

> as 
> kolab already creates the corresponding CA and server certificates.
> However, if I try to use the 'standard' way of creating the client certs
> (see e.g. http://www.openssl.org/docs/HOWTO/certificates.txt), the
> creation of the "certificate request" fails with: "error, no objects
> specified in config file". When I tried to solve this, I discovered that
> /kolab/etc/kolab/kolab-ssl.cfn is quite different from the standard
> openssl.cnf that usually comes with openssl. One thing I noticed is the
> lack of a lot of definitions in [ req_distinguished_name ] and if I
> start re-adding and messing with those, it will work at some point.
>
> However, I assume that there was a reason to change kolab-ssl.cnf
> compared to openssl.cnf. Hence, lacking deeper knowledge about SSL, I'm
> hesitant to just reverse some of those changes and generally mess with
> the settings. Therefore, my question: Can someone shed some light on
> this - why is kolab-ssl.cnf the way it is? Or is that cnf file suitable
> for CA generation *only*?

From looking at it, I guess that Steffen has just removed unneeded stuff
making this file basically suitable for a few uses, like generating a CA
and signing server certificates. However Steffen will know best.

Feel free to mess with that file, if that works for you
and please let us and the wiki know what you have found out regarding the
client certificates.

We did not include a lot of documentation because it goes without saying
that you need a properly done CA structure if you want to use Kolab
in real production. The Kolab Server only creates a simple CA that is not
very refined and most clients will not have it listed as trusted root CA.
So in larger more serious settings
you would build up your own CA seperately of Kolab Server
and only give the server a signed certificate for tls and ssl use.
You can also buy this services from a trust center.

If your experiments help us to make the Kolab Server CA more serious,
it is very welcome.

Bernhard

More information about the devel mailing list