On Fri, Jan 04, 2013 at 12:57:00AM -0500, Robert Moskowitz wrote:
> >>I was noticing an error in /var/log/httpd/ssl_error_log about the
> >>cert having basicConstraints: CA=TRUE
> >
> >If some HTTP server does not like self-signed SSL certs with CA=TRUE,
> >that's its own problem. Postfix will not force you to jump through
> >such pointless hoops.
> It was a warning. More likely it would be the clients that would
> object. Postfix may be happy with such a cert, but some other MTA
> or client might not accept such a cert from Postfix.
>
> One of the IETF mantras is "be conservative in what you send and
> liberal in what you accept". So a client SHOULD accept this, but
> not MUST accept it. A server MAY send it, but SHOULD avoid it.
There is nothing wrong with "CA:true" in a self-signed SSL certificate.
If, however, your default "openssl.cnf" adds "CA:true", and you'd rather
not have it present, the "one liner" can be updated slightly to:
# tmp=$(mktemp smptpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -keyout "$tmp" -nodes \
-x509 -subj "/CN=$(uname -n)" -days $((365 * 10)) -extensions usr_cert \
-out /dev/stdout >> "$tmp" &&
mv "$tmp" smtpd.pem
provided that same "openssl.cnf" has the usual "usr_cert" section
as well as the inconvenient "v3_ca" section with:
basicConstraints = CA:true
or
basicConstraints = critical,CA:true
--
Viktor.
