On Fri, Jun 15, 2007 06:32:42 AM -0700, Paul Heinlein
You don't need a CA to create a single self-signed certificate.
I see. Actually, this is just one of those things that is not clear at all from the online docs I found.
- cd /usr/share/ssl
- modify openssl.cnf to have your Common Name and other parameters
- run: ./CA -newca ./CA -newreq-nodes
- move the private key from the .pem file to a separate file
- put the cert and key file in a location where Postfix,
- Dovecot and Apache can all use them
- configure each of those servers to use the certificate
What have I missed?
- Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes, after placing the right values of C, ST, L, CN, etc... in openssl.cnf, right? Just to be sure that I have understood how all the pieces come from (as I said, I won't be able to play on the server before sunday...)
Still to be 100% sure of what we are saying: the command above self-signs keys and certificate and puts both of them in the mycert.pem file, correct?
Also, if you're doing this on a private server, you can keep the cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by the members of a closed organization (business, charity, whatever...) but is not used as an ISP to the public", right?
I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Sorry for the repeated questions, but I must say that ssl is one of the fields where the available docs are less clear to non-professionals. It seems to take a lot of effort to just figure out which are the right questions to ask...
Thanks again in advance for any feedback,
Marco