On Sun, Oct 28, 2012 at 12:41:16PM -0400, thorso...@lavabit.com wrote:
> Victor:
> > For a more clueful guide to the perplexed:
>
> > http://www.postfix.org/TLS_README.html#quick-start
>
> I neither know Bash nor Perl. That's why I decided to ask about
> the commands from "CA.pl" and about this [1] guide in general.
>
> So, could you elaborate on the following? What are we actually
> doing here?
>
> $ openssl req $SSLEAY_CONFIG -new -keyout ./demoCA/private/./cakey.pem \
> > -out ./demoCA/./careq.pem
>
> AFAICT, "cakey.pem" is a private key. Is "careq.pem" a new
> certificate?
req(1) is to generate certificate requests, so "careq.pem" is a
certificate signing request a/k/a CSR.
> My "SSLEAY_CONFIG" variable is empty. Should I adjust it?
SSLEAY_CONFIG is not mentioned in the CA.pl(1) manual. Perhaps it's
deprecated, retained for backward compatibility.
> $ openssl ca $SSLEAY_CONFIG -create_serial -out ./demoCA/./cacert.pem \
> > -batch -keyfile ./demoCA/private/./cakey.pem -selfsign \
> > -extensions v3_ca -infiles ./demoCA/./careq.pem
>
> What are "create_serial" and "infiles"?
There's no mention of -create_serial in the ca(1) manual. There is
mention of -infiles, and it means what it sounds like.
-infiles
if present this should be the last option, all subsequent
arguments are assumed to the the names of files
containing certificate requests.
Ask the OpenSSL folks about -create_serial and their documentation.
> % openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
>
> Why do we need a new private key and a new cert?
This appears to be the server's key and CSR. The previous appears to
be for the CA itself.
> % openssl ca -out foo-cert.pem -infiles foo-req.pem
>
> What private key is used by this command?
That would be defined in the "[ca]" section of your openssl config(5)
file.
> "It is generally best to not configure client certificates, unless
> there are servers which authenticate your mail submission via
> client certificates." [1]
>
> Could you explain this? What parameters are used to configure
> client certs?
http://www.postfix.org/TLS_README.html#client_tls answers the latter
question. The former is simpler than you are making it. The fact is:
most mail servers are not concerned with TLS certificate
verification. If you don't have client certificates configured, you
will not present said certificate to a server which does not care
anyway.
> I tried the following commands in a test dir:
In this directory the files mentioned were created, but ...
> $ openssl req -new -newkey rsa:2048 \
> -keyout cakey.pem \
> -out careq.pem
>
> $ openssl ca -create_serial -out cacert.pem \
> -batch -keyfile cakey.pem -selfsign \
> -extensions v3_ca -infiles careq.pem
>
> and got the following error:
>
> > > Using configuration from /usr/lib/ssl/openssl.cnf
> Enter pass phrase for cakey.pem:
> I am unable to access the ./demoCA/newcerts directory
> ./demoCA/newcerts: No such file or directory
... apparently there is no ./demoCA/newcerts therein.
> Why is trying to use that config file? Should I alter it?
It's your system default openssl(1) config(5) file. Maybe you should
edit it. You certainly should look at it.
> [1] http://www.postfix.org/TLS_README.html#quick-start
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
