Dotaz: posfix tls - certifikat

host -t mx pokus.sk
pokus.sk mail is handled by 0 mail.pokus.sk.

root@mail misc]# cd /etc/pki/tls/misc/
[root@mail misc]# ./CA -newca
mkdir: cannot create directory `../../CA': File exists
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
......++++++
......++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:SK
State or Province Name (full name) [Berkshire]:SlovakRepublic
Locality Name (eg, city) [Newbury]:Mesto
Organization Name (eg, company) [My Company Ltd]:Firma
Organizational Unit Name (eg, section) []:CertifikacnaAutorita
Common Name (eg, your name or your server's hostname) []:mail.pokus.sk
Email Address []:postmaster@pokus.sk

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug 20 07:07:44 2007 GMT
            Not After : Aug 19 07:07:44 2010 GMT
        Subject:
            countryName               = SK
            stateOrProvinceName       = SlovakRepublic
            organizationName          = Firma
            organizationalUnitName    = CertifikacnaAutorita
            commonName                = mail.pokus.sk
            emailAddress              = postmaster@pokus.sk
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                70:16:12:BB:01:4A:35:BD:3F:0E:FD:DB:46:5A:8E:DA:D2:B7:85:2E
            X509v3 Authority Key Identifier:
                keyid:70:16:12:BB:01:4A:35:BD:3F:0E:FD:DB:46:5A:8E:DA:D2:B7:85:2E

Certificate is to be certified until Aug 19 07:07:44 2010 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@mail misc]#

[root@mail misc]# openssl req -new -nodes -keyout FOO-key.pem -out FOO-req.pem -days 365
Generating a 1024 bit RSA private key
...........++++++
...........................................++++++
writing new private key to 'FOO-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:SK
State or Province Name (full name) [Berkshire]:SlovakRepublic
Locality Name (eg, city) [Newbury]:Mesto
Organization Name (eg, company) [My Company Ltd]:Firma
Organizational Unit Name (eg, section) []:serverovyCertifikat
Common Name (eg, your name or your server's hostname) []:mail.pokus.sk
Email Address []:postmaster@pokus.sk

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mail misc]#

[root@mail misc]# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 20 07:09:52 2007 GMT
            Not After : Aug 19 07:09:52 2008 GMT
        Subject:
            countryName               = SK
            stateOrProvinceName       = SlovakRepublic
            organizationName          = Firma
            organizationalUnitName    = serverovyCertifikat
            commonName                = mail.pokus.sk
            emailAddress              = postmaster@pokus.sk
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7D:04:53:AD:5F:D5:8C:B8:54:7C:26:9F:1A:33:DD:5C:28:F4:56:89
            X509v3 Authority Key Identifier:
                keyid:70:16:12:BB:01:4A:35:BD:3F:0E:FD:DB:46:5A:8E:DA:D2:B7:85:2E

Certificate is to be certified until Aug 19 07:09:52 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail misc]#

smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/certs/FOO-key.pem
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom

openssl x509 -in cacert.pem -out cacert.der -outform DER