On Tue, Aug 21, 2012 at 09:30:47PM +0800, Feel Zhou wrote: > [root@mtayd CA]# yum install openssl-perl > ...... > [root@mtayd CA]# yum install pki-ca > ...... > [root@mtayd CA]# pwd > /etc/pki/CA > > After yum install, I reboot the system.
No way! Really? All you did there was install a few scripts that have absolutely no connection to the running of the system. There was no need to reboot for that. I point this out because it is likely that you would benefit most at this time from learning the basics of your OS and how to manage it. This whole thread does look like you need a better grasp of such things. > [root@mtayd CA]# openssl ca -out postfix_cert.pem -infiles > postfix_public.pem Another basic hint is that you don't need to use the root account to manage your openssl CA. Get into the habit of only using root for actual administration of the system. An openssl basic hint is that the CA should not be kept and managed on the server itself. You can add another layer of security to it by keeping the CA files offline and physically secure. I keep mine on a different system behind a NAT gateway, not directly accessible from the Internet. (Of course in mail terms, high security for the TLS CA is not usually very important, but if you're using this CA for anything else, it can be. And it never hurts to do things right from the beginning.) And yet another hint is that you are not following Wietse's directions. He told you to use the freshly installed CA.pl script that ships with OpenSSL. > Using configuration from /etc/pki/tls/openssl.cnf > Enter pass phrase for /etc/pki/CA/private/cakey.pem: > unable to load certificate > 139860379301704:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE > > Can not creat the postfix_cert.pem. Thanks four your time. "Unable to load certificate" looks like there was something wrong with the certificate file. If you want to do this the Postfix "quick and dirty" way, we can possibly help you here, but only if you do follow the directions. If you want to use openssl(1) ca(1) directly, you might have better luck in a forum specific to OpenSSL. http://www.postfix.org/TLS_README.html#quick-start Oh, and please do not top-post your replies here. I am leaving Wietse's reply quoted, below, in the hopes that you will read it again and maybe understand it this time. Thank you and good luck. > 2012/8/21 Wietse Venema <wie...@porcupine.org> > > > Feel Zhou: > > > Thanks, Wietse and all my friend > > > I just do the command: > > > yum install openssl-perl > > > When I test again > > > still have the same wrong message > > > > Please show the command and output for each step in TLS_README. > > You can capture the session with the script command. > > > > script name-of-file > > $ /some/where/CA.pl ... > > ...and so on... > > $ exit -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
