On 01/03/2013 10:10 PM, Viktor Dukhovni wrote:
On Thu, Jan 03, 2013 at 11:05:42AM -0500, Robert Moskowitz wrote:
An update on creating self-signed certs.
On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +0000, Viktor Dukhovni wrote:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is an FQDN):
$ tmp=$(mktemp smtpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
mv "$tmp" smtpd.pem
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -nodes -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
mv "$tmp" smtpd.pem
I was noticing an error in /var/log/httpd/ssl_error_log about the
cert having basicConstraints: CA=TRUE
If some HTTP server does not like self-signed SSL certs with CA=TRUE,
that's its own problem. Postfix will not force you to jump through
such pointless hoops.
It was a warning. More likely it would be the clients that would
object. Postfix may be happy with such a cert, but some other MTA or
client might not accept such a cert from Postfix.
One of the IETF mantras is "be conservative in what you send and liberal
in what you accept". So a client SHOULD accept this, but not MUST
accept it. A server MAY send it, but SHOULD avoid it.
So I was just sharing my experience in working with the cert and what
warnings I have been getting that are, based on the standards, correct
warnings.
But I think this is a pernicious problem as the localhost.crt created
during firstboot on my Centos 6.3 system has CA=TRUE. I need to look
into this more before I submit a bug report upstream to Redhat.
