By default, certificates created by the UCS CA are used in UCS for the Apache, Postfix, Dovecot (or Cyrus) etc. daemons. As described in the following points, the Apache, Dovecot, Cyrus and Postfix services can be configured for the use of externally created certificates:
To use your own certificates for the web server Apache , the UCR variables ‘apache2/ssl/certificate’ and ‘apache2/ssl/key’ need to be set to the full path of the certificate files, e.g.:
ucr set apache2/ssl/certificate="/etc/myssl/cert.pem"
ucr set apache2/ssl/key="/etc/myssl/private.key"
The service must then be restarted for the changes to take effect:
service apache2 restart
Cyrus was used as IMAP server up to UCS 4.0-1. Since UCS 4.0-2, the default IMAP server is Dovecot (see below).
When configuring the SSL certificates for the IMAP server Cyrus, special attention must be paid to the fact that the files need to belong to the cyrus user and the mail group. It is thus recommended to create an additional copy of the certificates. Following the example above, the configuration could be performed as follows:
cp /etc/myssl/cert.pem /var/lib/cyrus/cert.pem
cp /etc/myssl/private.key /var/lib/cyrus/private.key
chown cyrus:mail /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key
chmod 600 /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key
The UCR variables
mail/cyrus/ssl/key must then be set for Cyrus:
ucr set mail/cyrus/ssl/certificate="/var/lib/cyrus/cert.pem"
ucr set mail/cyrus/ssl/key="/var/lib/cyrus/private.key"
The Cyrus server finally needs to be restarted:
service cyrus2.4 restart
Dovecot is the default IMAP server since UCS 4.0-2 and supersedes Cyrus.
The UCR variables
mail/dovecot/ssl/key must be set for Dovecot:
ucr set mail/dovecot/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/dovecot/ssl/key="/etc/myssl/private.key"
Then restart the daemon:
service dovecot restart
The UCR variables ‘mail/postfix/ssl/certificate’ and ‘mail/postfix/ssl/key’ need to be configured:
ucr set mail/postfix/ssl/certificate="/etc/myssl/cert.pem"
ucr set mail/postfix/ssl/key="/etc/myssl/private.key"
Then the mail server has to be restarted:
service postfix restart