Patrick,
Finished doing what you are starting awhile back.
You do have to use -nodes for the CA portion.
Here is a link I found helpful:
http://www.pki-page.org/
After you look at a few, you will discovery that darned near
every certificate out there has some defect. That does not
mean they are broken, just that they are defective.
You might also need to know about the serial numbers.
They are important if you set up the CA correctly.
Downside is that there is still disagreement about a revocation
server and sometimes method. Most all certificate stores use
certificates that have expired. ( I found over 10 expired certificates
upon a new Win XP install. Odd thing about expired certificates,
they still work. Well, not always, let's say mostly.)
One thing I did do on purpose. I made postix use mbox format,
ran a symbolic link between /var/spool/mail/username and the users
home directory. Set up the mailbox file in the users directory, and
one really needs to watch the permissions here.
What this allowed to happen was each user had a disk quota set.
Their email store was in their home directory. mbox format allowed
pine, squirrelmail, pop, and imap to access that file, and their disk
quota kept it honest.
I wanted to use the dir format but it was just not compatible with
everything I wished to accomplish without extra work, or mail handlers.
Pop and imap are limited access to the local domain and localhost,
respectively.
Interesting part is it all works fine. Since there are links it
isn't as fast
as some other setups. I think some of the advantages are good. Only
standard configuration is necessary for most of the servers. (The user
creation needs some tweeking since the username mailbox has to be
replaced with a link in /var/spool/mail, and a mailbox file must be
created
in the user's home directory with special permissions. But that's
about it.)
I did create two certificates. One was the CA certificate, and
the one below
that, which is served by the mail system, and squirrelmail (aka
apache) is
a wildcard certificate. The reason for wildcarding is that I wanted
to have
several aliases for a single ip. Unfortunately, there is no nice way
to do that
since which certificate is used to validate the system name being used
(for instance, webmail.this.domain versus popmail.this domain with
the same ip)
unless multiple ip's are used. (of course virtual names come to mind
as well, but
not for this one at this time).
You probably already know about CA.pl to generate the certificate
authority.
It works if it's tweeked a bit for your use. It at least makes it
easier to generate
the certificates and the revocation file, and keep track of the
serial numbers as
a demonstration of what's needed. Unless you are getting into the
certificate
market, it's good for small usage.
Good luck with your plans. It does work well together. port 587
is better than
the one that some documents use for secure smtp. (Cisco uses that one.)
If you have specific questions, I might be able to help, if I have
some experience
there.
Ed Beranek
Patrick wrote:
On Tue, 2006-01-03 at 14:57 +0100, Alexander Dalloz wrote:
Am Di, den 03.01.2006 schrieb Ingo Jochim um 11:05:
How can I create a SSL certificate via script full automated?
Thank you for your help.
Ingo
You may do it like some (those which ship with a certificate) of the
Fedora RPMs do during rpmbuild. Following is taken from the OpenLDAP
.spec:
pushd %{_sysconfdir}/pki/tls/certs
umask 077
cat << EOF | make slapd.pem
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
localhost.localdomain
root@xxxxxxxxxxxxxxxxxxxxx
EOF
chown root:ldap slapd.pem
chmod 640 slapd.pem
popd
That's the easy part :) Over the holidays I had a go at Kyle Dent's
Postfix book and fiddled with setting up Postfix with SMTP AUTH (smtp
and smtpd) and TLS which obviously needed CA, server and client
private
and public certificates and CSRs. Quite challenging. And then there
was
Evolution's seemlingly stubborn refusal to do something with those
certificates that made sense to me. It would be very nice if the CA
scripts in /etc/pki/tls/misc/ got a little TLC from those in the
know or
perhaps even a system-config-certificates. There's a discrepancy
between
the CA scripts and the info in the Postfix book and info on the Net:
both mention that you have to use "-nodes" with the openssl
command. Yet
the CA scripts don't use that parameter. And the CA scripts use the
-x509 parameter while the info in the Postfix book and info on the Net
don't use it. This doesn't make it any easier so I would welcome and
appreciate any progress.
Regards,
Patrick
