On Fri, Jan 04, 2013 at 12:30:50PM -0500, Robert Moskowitz wrote:
> >There is nothing wrong with "CA:true" in a self-signed SSL certificate.
>
> By some definitions of 'wrong' :)
>
> You may not have attended the same sort of PKI policy meetings that
> I lived through! But since this is in larg
On 01/04/2013 11:38 AM, Viktor Dukhovni wrote:
On Fri, Jan 04, 2013 at 12:57:00AM -0500, Robert Moskowitz wrote:
I was noticing an error in /var/log/httpd/ssl_error_log about the
cert having basicConstraints: CA=TRUE
If some HTTP server does not like self-signed SSL certs with CA=TRUE,
that'
On Fri, Jan 04, 2013 at 12:57:00AM -0500, Robert Moskowitz wrote:
> >>I was noticing an error in /var/log/httpd/ssl_error_log about the
> >>cert having basicConstraints: CA=TRUE
> >
> >If some HTTP server does not like self-signed SSL certs with CA=TRUE,
> >that's its own problem. Postfix will no
On 01/03/2013 10:10 PM, Viktor Dukhovni wrote:
On Thu, Jan 03, 2013 at 11:05:42AM -0500, Robert Moskowitz wrote:
An update on creating self-signed certs.
On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote:
People who want a more c
On Thu, Jan 03, 2013 at 11:05:42AM -0500, Robert Moskowitz wrote:
> An update on creating self-signed certs.
>
> On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
> >On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote:
> >
> >>People who want a more compact recipe for a self-signed cert
An update on creating self-signed certs.
On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is a
On 12/21/2012 07:29 AM, Jerry wrote:
On Fri, 21 Dec 2012 07:03:29 -0500 (EST)
Wietse Venema articulated:
Robert Moskowitz:
I was thinking about this, and what assurance does your CA provide
for the names in the certs it signs?
It provides assurance that the certificate was signed by your CA.
On Fri, 21 Dec 2012 07:03:29 -0500 (EST)
Wietse Venema articulated:
> Robert Moskowitz:
> > I was thinking about this, and what assurance does your CA provide
> > for the names in the certs it signs?
>
> It provides assurance that the certificate was signed by your CA.
> That is all. The rest is
Robert Moskowitz:
> I was thinking about this, and what assurance does your CA provide for
> the names in the certs it signs?
It provides assurance that the certificate was signed by your CA.
That is all. The rest is just a lot of wishful thinking that keeps
techno-parasites in business.
On 12/20/2012 08:29 PM, Wietse Venema wrote:
Robert Moskowitz:
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XX) &&
openssl req -new \
-newkey rsa:1280 -nodes -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -
On 12/20/2012 08:29 PM, Wietse Venema wrote:
Robert Moskowitz:
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XX) &&
openssl req -new \
-newkey rsa:1280 -nodes -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -
Oh, and thank you for answering my questions, helping me work through
understanding this small portion of the problem space, and adding the
lessons I am taking away from the exchanges to the documentation.
On 12/20/2012 10:30 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 10:02:19AM -0500,
On 12/20/2012 10:30 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 10:02:19AM -0500, Wietse Venema wrote:
Viktor Dukhovni:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is an FQDN):
...
With the "
Robert Moskowitz:
> > With the "-nodes" option in most cases:
> >
> > $ tmp=$(mktemp smtpd.pem.XX) &&
> > openssl req -new \
> > -newkey rsa:1280 -nodes -keyout /dev/stdout \
> > -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
> >
On 12/20/2012 10:02 AM, Wietse Venema wrote:
Viktor Dukhovni:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is an FQDN):
...
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XX
On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is an FQDN):
$ tmp=$(mktemp smtpd.pem.X
On 12/20/2012 10:30 AM, Viktor Dukhovni wrote:
We could follow the herd and recommend 2048 bits, since SMTP servers
rarely do enough RSA-ops for RSA performance to be a bottleneck. On
the other-hand, for people wielding self-signed certs almost certainly
1024 is plenty strong at 2^80, and 1280
On Thu, Dec 20, 2012 at 10:02:19AM -0500, Wietse Venema wrote:
> Viktor Dukhovni:
> > > People who want a more compact recipe for a self-signed cert on
> > > a single SMTP server can use my "one-liner" (for machines whose
> > > hostname is an FQDN):
> ...
> > With the "-nodes" option in most cases
Viktor Dukhovni:
> > People who want a more compact recipe for a self-signed cert on
> > a single SMTP server can use my "one-liner" (for machines whose
> > hostname is an FQDN):
...
> With the "-nodes" option in most cases:
>
> $ tmp=$(mktemp smtpd.pem.XX) &&
> openssl req -new \
On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote:
> People who want a more compact recipe for a self-signed cert on
> a single SMTP server can use my "one-liner" (for machines whose
> hostname is an FQDN):
>
> $ tmp=$(mktemp smtpd.pem.XX) &&
> openssl req -new \
>
On Thu, Dec 20, 2012 at 08:40:42AM -0500, Robert Moskowitz wrote:
> That is the only place in the documentation where I have found
> openssl command examples. Are there other place(s) that I have
> missed?
What would you like to see in the documentation? Instructions for
creating a self-signed s
On 12/20/2012 08:08 AM, /dev/rob0 wrote:
BTW Reply-To: is set, and the offlist Cc: is not necessary.
On Wed, Dec 19, 2012 at 07:40:10PM -0500, Robert Moskowitz wrote:
On 12/19/2012 06:31 PM, /dev/rob0 wrote:
On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
I am looking at a
BTW Reply-To: is set, and the offlist Cc: is not necessary.
On Wed, Dec 19, 2012 at 07:40:10PM -0500, Robert Moskowitz wrote:
> On 12/19/2012 06:31 PM, /dev/rob0 wrote:
> >On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
> >>I am looking at a number of tutorials for setup.
> >This
On 12/19/2012 11:58 PM, John Hinton wrote:
On 12/19/2012 6:40 PM, Reindl Harald wrote:
[root@buildserver:~]$ cat /buildserver/ssl-cert/openssl.conf.template
[ req ]
prompt = yes
default_bits= 1024
I have heard some reports that browsers such as Chro
On 12/19/2012 06:31 PM, /dev/rob0 wrote:
On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
I am looking at a number of tutorials for setup.
This is a formula for failure. :) Stick to the documentation.
http://www.postfix.org/documentation.html
I asked some questions over on
On Wed, 19 Dec 2012 23:58:49 -0500
John Hinton articulated:
> I have heard some reports that browsers such as Chrome and MSIE balk
> at 1024 bit certs and that one should use 2048. I wonder if this is
> now a good idea when generating mailserver certs as well? Try to be
> more future proof? Or am
On 12/19/2012 6:40 PM, Reindl Harald wrote:
Am 20.12.2012 00:31, schrieb /dev/rob0:
We don't know what you want. What is this certificate to be used for?
Do you want a self-signed certificate, or to run your own CA, or to
submit your CSR to an external CA?
there is no difference between self-
On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
> I am looking at a number of tutorials for setup. I have found two
> different commands and looking for guidance:
>
> genkey --days 3650 mail.example.com
>
> or
>
> openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048
On 12/19/2012 06:40 PM, Reindl Harald wrote:
Am 20.12.2012 00:31, schrieb /dev/rob0:
We don't know what you want. What is this certificate to be used for?
Do you want a self-signed certificate, or to run your own CA, or to
submit your CSR to an external CA?
there is no difference between sel
On 12/19/2012 06:40 PM, Reindl Harald wrote:
Am 20.12.2012 00:31, schrieb /dev/rob0:
We don't know what you want. What is this certificate to be used for?
Do you want a self-signed certificate, or to run your own CA, or to
submit your CSR to an external CA?
there is no difference between sel
On 12/19/2012 06:31 PM, /dev/rob0 wrote:
On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
I am looking at a number of tutorials for setup.
This is a formula for failure. :) Stick to the documentation.
http://www.postfix.org/documentation.html
I looked there again, and did n
Am 20.12.2012 00:31, schrieb /dev/rob0:
> We don't know what you want. What is this certificate to be used for?
> Do you want a self-signed certificate, or to run your own CA, or to
> submit your CSR to an external CA?
there is no difference between self-signed and submit to external CA
the s
On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote:
> I am looking at a number of tutorials for setup.
This is a formula for failure. :) Stick to the documentation.
http://www.postfix.org/documentation.html
> I have found two different commands and looking for guidance:
>
> genkey
33 matches
Mail list logo
