On Wed, Oct 24, 2012 at 03:59:01AM -0400, thorso...@lavabit.com wrote:
> > There is no point in CA key that you don't use. If you create a
> > CA, then at least use it to sign the server certificate. Otherwise,
> > both the server key-pair and the CA key-pair are in fact self-signed
> > CAs and one of them is redundant.
>
> Oh, I got confused. Are you trying to say that this example [1]
> creates a redundant certificate? Why do they suggest this in the
> guide? What would you use instead?
>
> [1] https://help.ubuntu.com/community/Postfix
Yes, the example creates a pointless trusted CA that it never uses.
The CA is neither used to sign the server certificate, nor to sign
any client certificates (nor does the server ask for client
certificates, and most MUAs don't know how to use them anyway).
For a more clueful guide to the perplexed:
http://www.postfix.org/TLS_README.html#quick-start
however note that I would also set my umask to 077 around any
commands that output keys. Specifically:
$ CA.pl -newca
$ openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
This assumes you want a signing CA and a leaf cert for a few servers.
If you'll only ever have one server, and never want to issue any
client certs for TLS authentication of (suitably capable) MUAs on 587
then you don't need a CA, just don't bother with that step from [1].
As for why [1] suggests what it does, the plain truth is that many
people (including the guide's authors) don't understand X.509 keys
and certs, they just parrot what appears to work (cargo cult, but
in some cases the planes keep on landing).
--
Viktor.
P.S. If you have SASL questions start a new thread, and ask one
question at a time.
