On 12/20/2012 08:29 PM, Wietse Venema wrote:
Robert Moskowitz:
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -nodes -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
mv "$tmp" smtpd.pem
Where is the cert going in this example? Are you putting both the cert
and the private key in the same file?
Yes. Postfix by default uses the same file for the private key and
the public key certificate.
I would tend to at least include emailAddress. The rest SHOULD be known
No. This is a server certificate. Servers have no email address.
Second, this is a self-signed certificate, meaning no assurance
that the information is trusworthy, so no point loading it up.
Past my bedtime, but...
I was thinking about this, and what assurance does your CA provide for
the names in the certs it signs? Where are the policies? I have helped
set up large commercial CAs with all of the policy cruft with the
lawyers checking over everything. Naming assurances are all about what
you want to trust.
Well, as I said, past my bedtime and I REALLY should not be thinking
about this stuff. It gives me nightmares ;)
Made some headway this evening on the important stuff. Like the real
postfix conf and some time with postfixadmin.
