Am 01.02.2015 um 23:15 schrieb Viktor Dukhovni:
On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote:
just make it once in your lifetime, create a template for default params and
a script with minimal maintainance like for hash-method and keylength - the
script below in any case builds a self signed PEM with key and cert as well
as the CSR for submit to a CA
For MX hosts there is no reason to bother with public CAs, even
when the CA certs are free. Just set the expiration date a few
centuries into the future, and replace the cert when you feel the
key has been around long enough, rather than based on a pre-set
deadline.
For MSAs offering service to Joe Public, sure you'll want a CA-issued
cert.
i only referred to "the interval between expiry is long enough that I
get to learn everything over from first principles every time I have to
replace a cert"
