On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote: > just make it once in your lifetime, create a template for default params and > a script with minimal maintainance like for hash-method and keylength - the > script below in any case builds a self signed PEM with key and cert as well > as the CSR for submit to a CA
For MX hosts there is no reason to bother with public CAs, even when the CA certs are free. Just set the expiration date a few centuries into the future, and replace the cert when you feel the key has been around long enough, rather than based on a pre-set deadline. For MSAs offering service to Joe Public, sure you'll want a CA-issued cert. -- Viktor.