On Fri, Feb 07, 2014 at 11:49:55PM +0000, Alan Munday wrote:
> >Assuming a suitable private key in key.pem, a self-signed cert is just
> >one command:
> >
> > openssl req -x509 -sha1 -new -key key.pem -out newcert.pem \
> > -subj "/CN=$(uname -n)" -days 3650
> >
>
> Not difficult at all.
>
> >Indeed, looks like you're done. The below is not self-signed, but
> >nobody cares really. No need to post-pend an issuer CA nobody
> >trusts to the chain.
>
> Does this imply that, for users like me, the "Getting started, quick
> and dirty" section of the Postfix TLS support could be further
> simplified?
Yes. I did not write that section. It always looked a bit too
fancy to me. For a complete self-signed key + cert combination:
# cd /etc/postfix
# tmp=$(mktep .tmpcert.XXXXXX)
# certfile=certkey-$(date +"%Y-%m-%d.pem")
# umask 077
# openssl req -new -newkey rsa:2048 -keyout /dev/stdout -nodes \
-x509 -sha1 -subj "/CN=$(uname -n)" -days 3650 >> "$tmp" &&
mv "$tmp" "$certfile" &&
postconf -e \
'smtpd_tls_cert_file = ${config_directory}/'"${certfile}" \
'smtpd_tls_key_file = ${smtpd_tls_cert_file}'
Note, you need ">> $tmp" not "> $tmp", because on some platforms
opening /dev/stdout is surprisingly not a dup() operation and the
resulting file descriptor does not share the file offset of the
original stdout. Since the key is written to /dev/stdout and the
cert to the actual stdout, you don't want the latter to overwrite
the former. Opening with O_APPEND (>>) takes care of that.
--
Viktor.
