On Fri, Jun 15, 2007 06:32:42 AM -0700, Paul Heinlein > You don't need a CA to create a single self-signed certificate. I see. Actually, this is just one of those things that is not clear at all from the online docs I found. > >1) cd /usr/share/ssl > >2) modify openssl.cnf to have your Common Name and other parameters > >3) run: > > ./CA -newca > > ./CA -newreq-nodes > >4) move the private key from the .pem file to a separate file > >5) put the cert and key file in a location where Postfix, > >6) Dovecot and Apache can all use them > >7) configure each of those servers to use the certificate > > > >What have I missed? > > 1) Run > > openssl req \ > -x509 -nodes -days 365 \ > -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ > -newkey rsa:1024 -keyout mycert.pem -out mycert.pem this would be the one-command version of running CA -newreq -nodes, after placing the right values of C, ST, L, CN, etc... in openssl.cnf, right? Just to be sure that I have understood how all the pieces come from (as I said, I won't be able to play on the server before sunday...) Still to be 100% sure of what we are saying: the command above self-signs keys and certificate and puts both of them in the mycert.pem file, correct? > Also, if you're doing this on a private server, you can keep the > cert and the key in the same file. I assume by "private" here you mean "a server which is only used by the members of a closed organization (business, charity, whatever...) but is not used as an ISP to the public", right? > I'd just give it 0600 perms no matter where you put it. 0600 and ownership root, of course? Sorry for the repeated questions, but I must say that ssl is one of the fields where the available docs are less clear to non-professionals. It seems to take a lot of effort to just figure out which are the right questions to ask... Thanks again in advance for any feedback, Marco