Loading ...
Sorry, an error occurred while loading the content.

generating the TLS cert

Expand Messages
  • Robert Moskowitz
    I am looking at a number of tutorials for setup. I have found two different commands and looking for guidance: genkey --days 3650 mail.example.com or openssl
    Message 1 of 34 , Dec 19, 2012
    • 0 Attachment
      I am looking at a number of tutorials for setup. I have found two
      different commands and looking for guidance:

      genkey --days 3650 mail.example.com

      or

      openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes
      -keyout smtpd.key -keyform PEM -days 365 -x509

      Now I actually know a LOT about X.509, having worked on PKIX in IETF.
      But I am theory, not practice. I want control over CN content and the
      tutorial with the later shows what I want.
    • Viktor Dukhovni
      ... What meetings you happened to attend is of no consequence. ... It is usr_cert , not user_cert . The difference in the resulting extensions is: v3_req:
      Message 34 of 34 , Jan 4, 2013
      • 0 Attachment
        On Fri, Jan 04, 2013 at 12:30:50PM -0500, Robert Moskowitz wrote:

        > >There is nothing wrong with "CA:true" in a self-signed SSL certificate.
        >
        > By some definitions of 'wrong' :)
        >
        > You may not have attended the same sort of PKI policy meetings that
        > I lived through! But since this is in large measure a policy issue,
        > we will leave it there.

        What meetings you happened to attend is of no consequence.

        > I will test with user_cert over v3_req that I learned about over on
        > the OpenSSL list. See how they compare.

        It is "usr_cert", not "user_cert". The difference in the resulting
        extensions is:

        v3_req:
        X509v3 Basic Constraints:
        CA:FALSE
        X509v3 Key Usage:
        Digital Signature, Non Repudiation, Key Encipherment

        usr_cert:
        X509v3 Basic Constraints:
        CA:FALSE
        Netscape Comment:
        OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
        AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6
        X509v3 Authority Key Identifier:
        keyid:AD:3C:28:E3:E5:B5:F3:0A:5C:63:AB:08:15:4E:1C:42:A3:D5:83:E6

        default (v3_ca):
        X509v3 Subject Key Identifier:
        EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
        X509v3 Authority Key Identifier:
        keyid:EC:1C:FE:EE:26:9E:09:44:8C:75:5C:F7:1E:38:32:4A:FA:93:FA:E6
        X509v3 Basic Constraints:
        CA:TRUE

        Perhaps of the three "v3_req" is the closest to a sensible set of
        extensions for an endpoint certificate.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.