Matt's Musings

June 13, 2011

Using StartCom Free SSL certificates with Cyrus imapd

Filed under: Linux — @ 9:12 am NZST

A stumbled across Start Com a few months ago, an Israeli company that run a Certificate Authority (CA) called StartSSL with a root certificate in all the modern browsers and operating systems. Best of all they don’t participate in the cartel run by the rest of the SSL certificate industry and offer domain validated certificates at the price it costs them to issue them – nothing.

I had the first opportunity to use their services today when I needed an SSL cert to secure the IMAP server I run for my parents and I was very pleased with the experience. The web interface is a bit weird and you have to jump through some strange hoops, but to save paying more money to the SSL certificate cartel it seemed more than worthwhile.

Like most CAs these days the certificate which signs your server certificate is not the actual root certificate included in your operating system or browser, but an intermediate CA certificate which is in turn signed by the root certificate. This means that you have to ensure that your server includes the intermediate CA certificate alongside the server certificate so the client can validate the entire path back to the root.

Unlike Apache which explicitly allows you to specify a certificate chain file, the openssl methods used by Cyrus 2.2 only seem to recognise a single CA certificate in the file pointed to by tls_ca_file. All as not lost however, as the openssl libraries are actually quite smart and will automagically determine which intermediate certs they need to bundle into the handshake if you install them appropriately under /etc/ssl/certs (at least on Debian).

The trick is that you have to install the intermediate CA cert into a file named after the hash of the certificate, like so:

# wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O /etc/ssl/certs/startcom-class1-intermediate.pem
# hash=$(openssl x509 -hash -noout -in /etc/ssl/certs/startcom-class1-intermediate.pem)
# ln -s ./startcom-class1-intermediate.pem /etc/ssl/certs/${hash}.0
# ls -l /etc/ssl/certs/${hash}.0
lrwxrwxrwx 1 root root 34 2011-06-13 07:43 /etc/ssl/certs/ea59305e.0 -> ./startcom-class1-intermediate.pem

Then in imapd.conf:

tls_cert_file: /etc/ssl/certs/your-server-cert.pem
tls_key_file: /etc/ssl/private/your-server-key.key
tls_ca_file: /etc/ssl/certs/startcom-ca.pem

Voila. Works everywhere I’ve tried so far.

Start Com – Highly Recommended. I’ll be using them for any future SSL certificate purchases (e.g. EV certs) that I need to make.

7 Comments

  1. Please note that revocation actually costs real money.

    Comment by Philipp Kern — June 13, 2011 @ 9:32 am

  2. Also note that the certificates aren’t “Free”™; StartCom retains all rights, etc..

    Be sure to read their Certification Policy! (“Subscribers Obligations” link on the StartSSL homepage or, this document: http: //www.startssl.com/policy.pdf )

    Comment by Ben — June 13, 2011 @ 4:15 pm

  3. The other way to make the intermediate CA work is just to concatenate it to your certificate (first your certificate, then the intermediate CA). You can also concatenate the intermediate CA to the CA (first the CA, then the intermediate CA).

    Comment by Vincent Bernat — June 13, 2011 @ 6:34 pm

  4. Vincent, I’ve used that technique with other servers, but Cyrus seems to only ever read the first certificate in the file from what I can make out.

    Comment by matt — June 13, 2011 @ 9:14 pm

  5. […] Brown writes about StartCom, the Israeli issuer providing basic SSL certificates for […]

    Pingback by StartSSL: finally, a trustworthy certifier* - jwiltshire.org.uk — June 14, 2011 @ 10:32 am

  6. Hmmm….. certificate issuing is suspended due to security breach…..

    Comment by Dmitrijs Ledkovs — June 21, 2011 @ 6:39 pm

  7. Hmm, that’s very unfortunate…

    Comment by matt — June 21, 2011 @ 7:05 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress