> For a more clueful guide to the perplexed: > http://www.postfix.org/TLS_README.html#quick-start
I neither know Bash nor Perl. That's why I decided to ask about the commands from "CA.pl" and about this [1] guide in general. So, could you elaborate on the following? What are we actually doing here? $ openssl req $SSLEAY_CONFIG -new -keyout ./demoCA/private/./cakey.pem \ > -out ./demoCA/./careq.pem AFAICT, "cakey.pem" is a private key. Is "careq.pem" a new certificate? My "SSLEAY_CONFIG" variable is empty. Should I adjust it? $ openssl ca $SSLEAY_CONFIG -create_serial -out ./demoCA/./cacert.pem \ > -batch -keyfile ./demoCA/private/./cakey.pem -selfsign \ > -extensions v3_ca -infiles ./demoCA/./careq.pem What are "create_serial" and "infiles"? % openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365 Why do we need a new private key and a new cert? % openssl ca -out foo-cert.pem -infiles foo-req.pem What private key is used by this command? "It is generally best to not configure client certificates, unless there are servers which authenticate your mail submission via client certificates." [1] Could you explain this? What parameters are used to configure client certs? I tried the following commands in a test dir: $ openssl req -new -newkey rsa:2048 \ -keyout cakey.pem \ -out careq.pem $ openssl ca -create_serial -out cacert.pem \ -batch -keyfile cakey.pem -selfsign \ -extensions v3_ca -infiles careq.pem and got the following error: > > Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for cakey.pem: I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory Why is trying to use that config file? Should I alter it? [1] http://www.postfix.org/TLS_README.html#quick-start
