On Thu, Jan 03, 2013 at 11:05:42AM -0500, Robert Moskowitz wrote:
> An update on creating self-signed certs.
>
> On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
> >On Thu, Dec 20, 2012 at 02:15:35PM +0000, Viktor Dukhovni wrote:
> >
> >>People who want a more compact recipe for a self-signed cert on
> >>a single SMTP server can use my "one-liner" (for machines whose
> >>hostname is an FQDN):
> >>
> >> $ tmp=$(mktemp smtpd.pem.XXXXXX) &&
> >> openssl req -new \
> >> -newkey rsa:1280 -keyout /dev/stdout \
> >> -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
> >> mv "$tmp" smtpd.pem
> >With the "-nodes" option in most cases:
> >
> > $ tmp=$(mktemp smtpd.pem.XXXXXX) &&
> > openssl req -new \
> > -newkey rsa:1280 -nodes -keyout /dev/stdout \
> > -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
> > mv "$tmp" smtpd.pem
> >
>
> I was noticing an error in /var/log/httpd/ssl_error_log about the
> cert having basicConstraints: CA=TRUE
If some HTTP server does not like self-signed SSL certs with CA=TRUE,
that's its own problem. Postfix will not force you to jump through
such pointless hoops.
--
Viktor.
