Hello, I need help with CA.pl and this [1] guide in general.
(I've already tried to ask here [2].) My goal is to configure Postfix to support TLS encryption. First, I'd like to configure it to use my system login/pass pair for auth because it's the easiest way. But I don't think that's the best solution. That user has the following entry in /etc/sudoers: user ALL=(ALL) ALL Should I create another user? Should I use another method (e.g. client certs)? Second, I have some troubles with understanding this [2] process. The following is from CA.pl: $ openssl req $SSLEAY_CONFIG -new -keyout ./demoCA/private/./cakey.pem \ > -out ./demoCA/./careq.pem What are we doing here? My "SSLEAY_CONFIG" variable is empty. Should I adjust it? $ openssl ca $SSLEAY_CONFIG -create_serial -out ./demoCA/./cacert.pem \ > -batch -keyfile ./demoCA/private/./cakey.pem -selfsign \ > -extensions v3_ca -infiles ./demoCA/./careq.pem What is "create_serial"? Can't find it in the man page. Here is my attempt: openssl req -new -newkey rsa:2048 \ -keyout cakey.pem \ -out careq.pem ... Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: Should I use a challenge password? openssl ca -create_serial -out cacert.pem \ -batch -keyfile cakey.pem -selfsign \ -extensions v3_ca -infiles careq.pem How to adjust /usr/lib/ssl/openssl.cnf to let the above commands work for every dir? (The above command returned several errors.) Third, the main problem is that I don't understand the idea behind this [2]. Why not use a single private key and a single cert? Please elaborate. Finally, will the above commands plus this [2] instructions fulfill my initial goal (i.e. TLS encryption for login auth)? Let's leave SASL-related questions aside. Thank you [1] http://www.postfix.org/TLS_README.html#quick-start [2] http://article.gmane.org/gmane.mail.postfix.user/232935 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
