On Fri, 15 Jun 2007, Marco Fioretti wrote: > Hello, > > I am going to build an email server on Centos for a small, private > group of users and I just want to encrypt all communications between > that server and the (remote) email clients of those users (or they > browsers, when they use webmail). Client certificates are not > necessary, at least now. > > I understand that to do that I need to create my own SSL CA, create > with it a self signed certificate and key pair and make sure that > the private key is not encrypted, so the server restarts unattended > in case of a reboot. You don't need a CA to create a single self-signed certificate. > Is this sequence of actions and commands correct and complete > for my case, or not: > > 1) cd /usr/share/ssl > 2) modify openssl.cnf to have your Common Name and other parameters > 3) run: > ./CA -newca > ./CA -newreq-nodes > 4) move the private key from the .pem file to a separate file > 5) put the cert and key file in a location where Postfix, > 6) Dovecot and Apache can all use them > 7) configure each of those servers to use the certificate > > What have I missed? 1) Run openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem You'll for sure want to modify the -subj option in my example, and you might consider lengthening the -days as well so you don't have to rebuild the cert in one year. Also, if you're doing this on a private server, you can keep the cert and the key in the same file. I'd just give it 0600 perms no matter where you put it. Then confinue with your step #5. -- Paul Heinlein <> heinlein at madboa.com <> www.madboa.com