On Thu, Jan 03, 2013 at 11:05:42AM -0500, Robert Moskowitz wrote: > An update on creating self-signed certs. > > On 12/20/2012 09:32 AM, Viktor Dukhovni wrote: > >On Thu, Dec 20, 2012 at 02:15:35PM +0000, Viktor Dukhovni wrote: > > > >>People who want a more compact recipe for a self-signed cert on > >>a single SMTP server can use my "one-liner" (for machines whose > >>hostname is an FQDN): > >> > >> $ tmp=$(mktemp smtpd.pem.XXXXXX) && > >> openssl req -new \ > >> -newkey rsa:1280 -keyout /dev/stdout \ > >> -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" && > >> mv "$tmp" smtpd.pem > >With the "-nodes" option in most cases: > > > > $ tmp=$(mktemp smtpd.pem.XXXXXX) && > > openssl req -new \ > > -newkey rsa:1280 -nodes -keyout /dev/stdout \ > > -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" && > > mv "$tmp" smtpd.pem > > > > I was noticing an error in /var/log/httpd/ssl_error_log about the > cert having basicConstraints: CA=TRUE
If some HTTP server does not like self-signed SSL certs with CA=TRUE, that's its own problem. Postfix will not force you to jump through such pointless hoops. -- Viktor.