On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote: > I am looking at a number of tutorials for setup. I have found two > different commands and looking for guidance: > > genkey --days 3650 mail.example.com > > or > > openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 > -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
http://archives.neohapsis.com/archives/postfix/2012-11/0476.html $ tmp=$(mktemp smtpd.pem.XXXXXX) $ openssl req -new -x509 -newkey rsa:1280 -nodes -keyout /dev/stdout \ -days $((356 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" $ mv "$tmp" smtpd.pem Everything other than "CN" in the subject DN is a waste of bits. The "mktemp" command generates a file with sensible permissions for key material, otherwise you need to mess with umasks, since OpenSSL makes no effort to prevent files with keys being world readable. -- Viktor.
