On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +0000, Viktor Dukhovni wrote:People who want a more compact recipe for a self-signed cert on a single SMTP server can use my "one-liner" (for machines whose hostname is an FQDN): $ tmp=$(mktemp smtpd.pem.XXXXXX) && openssl req -new \ -newkey rsa:1280 -keyout /dev/stdout \ -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" && mv "$tmp" smtpd.pemWith the "-nodes" option in most cases: $ tmp=$(mktemp smtpd.pem.XXXXXX) && openssl req -new \ -newkey rsa:1280 -nodes -keyout /dev/stdout \ -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" && mv "$tmp" smtpd.pem
Where is the cert going in this example? Are you putting both the cert and the private key in the same file?
I would tend to at least include emailAddress. The rest SHOULD be known to the mail users. Though if the cert is used between MTAs, then you get that countryName gets important. But then it is no longer a 'simple' cert and go read the openssl docs as I have been doing recently :)
By having rsa:1280, a reasonable reader would get how to control their keysize.
