Re: generating the TLS cert

Wed, 19 Dec 2012 16:41:51 -0800 


On 12/19/2012 06:31 PM, /dev/rob0 wrote:

On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:

I am looking at a number of tutorials for setup.

This is a formula for failure. :) Stick to the documentation.

http://www.postfix.org/documentation.html
I looked there again, and did not see an example for creating a self-signed cert. Oh, 'unsigned' is what the docs says. What do you mean 'unsigned'. No such thing in PKIX; the term is self-signed. No wonder I missed it the first time through the docs: 

openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365




I have found two different commands and looking for guidance:

genkey --days 3650 mail.example.com

I don't know what this is, but it probably generates a 10-year
certificate? There is no "genkey" command on my system with OpenSSL
0.9.8x, and "genkey" is not a valid subcommand of openssl(1).
Yep, a 10 year cert; that is clear, but what else is in the cert. Well you also can't find this command! Perhaps I have not looked closely enough at the tutorial to see what other cruft they installed. But probably will not push with this approach. 




or

openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048
-nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Each of the options you have listed in your command are documented in
the OpenSSL req(1) manual.


Will look again at the man on this.




Now I actually know a LOT about X.509, having worked on PKIX
in IETF. But I am theory, not practice.  I want control over
CN content and the tutorial with the later shows what I want.

We don't know what you want. What is this certificate to be used for?
Do you want a self-signed certificate, or to run your own CA, or to
submit your CSR to an external CA?
Valid point that I did not communicate. I have run CAs and can't see why for this usage. Can't see why to pay for a cert either; but you would not know that. Both examples are suppose to create self-signed certs, but I did not say that is what I wanted. My error; doing too many things at one time.
All I want for this server is a self-signed cert. I will settle for SHA-1, as I can't count on SHA-256 support and the risk is low for now. RSA 2048 will do; if I need larger, I will gen up an new cert next year. ECDSA would be fun, but support is thin. I do want a full CN that the second example prompts for. It is just that I missed the 'nice' 'here is how to create a self-signed cert' over at the postfix.org site. Now I see it. Yet another example to compare.

Reply via email to