Hi,

Firstly, I was wondering are the dates for this newsgroup's
posts dated in 2005 or 2006?

Secondly, the mail server's certificate had expired.
Now I'm trying to generate a new one; but I have forgotten
how exactly I should create one. I surf'd the net and
came across the following commands:

(make a new certificate)

openssl req -nodes -new -x509 -keyout newreq.pem \
-out newreq.pem -days 365 \
-config ./openssl.cnf

(sign)

openssl x509 -x509toreq -in newreq.pem \
-signkey newreq.pem -out tmp.pem

openssl ca -config ./openssl.cnf \
-policy policy_anything \
-out newcert.pem -infiles tmp.pem

Then I stick the newcert.pem into the certificate
file path. But what about the Key file? When
I generated it, no key file was made or am I mistaken?

Any appreciated

Edmund

Never mind about my question about the date issue.
I thought my newsreader grabbed the
latest news, but in actual fact it didn't. :I

As for the second, I think the method of creating
a new certificate (which I forgot to credit:
Mr. Shapiro) was not complete or at least it
was but isn't applicable for sendmail usage.

Mr. Shapiro's link:
http://www.sendmail.org/~ca/email/other/cagreg.html

Big Negrow's 20th June 2006 post had a link
that looked correct. (In the midst of
executing the commands.)

Big Negrow's link:
http://www.reject.org/pr0ject/freebs...ndmail-tls.txt

Can someone clarify why there's a slight difference?

Thanks

Edmund

In article <45053984$1@127.0.0.1> Edmund <ed@kdtc.net> writes:
>
>As for the second, I think the method of creating
>a new certificate (which I forgot to credit:
>Mr. Shapiro) was not complete or at least it
>was but isn't applicable for sendmail usage.

It works fine for sendmail, in fact I expect it was written up
specifically for sendmail (not that it would be signiificantly different
for e.g. a web server).

>Mr. Shapiro's link:
>http://www.sendmail.org/~ca/email/other/cagreg.html
>
>Big Negrow's 20th June 2006 post had a link
>that looked correct. (In the midst of
>executing the commands.)
>
>Big Negrow's link:
>http://www.reject.org/pr0ject/freebs...ndmail-tls.txt
>
>Can someone clarify why there's a slight difference?

Personal taste? The order in which they happened to try things until
they found something that worked? Shortcomings of the OpenSSL
documentation? There are lots of variations all of which work, in fact
Claus' STARTTLS page has links to two others besides Greg's (personally
I found Greg's to be th most straightforward of those though).

But anyway, regarding your problem finding the private key, read the
text:

"(certificate and private key in file newreq.pem)"

I.e. you'll have to extract the key into its own file by means of an
editor or equivalent - though it may well work to specify the cert+key
file for both confSERVER_CERT and confSERVER_KEY, I haven't tried it.

If you read the OpenSSL documentation for the 'req' command, you'll find
that it will generate the key if you don't provide one, i.e. it will run
the 'genrsa' command for you.

--Per Hedeland
per@hedeland.org

In article <ee4jth$30n$1@hedeland.org> per@hedeland.org (Per Hedeland) writes:
>
>"(certificate and private key in file newreq.pem)"
>
>I.e. you'll have to extract the key into its own file by means of an
>editor or equivalent - though it may well work to specify the cert+key
>file for both confSERVER_CERT and confSERVER_KEY, I haven't tried it.

Ooops, scratch that, newreq.pem has the *unsigned* certificate so can't
be used for confSERVER_CERT AFAIK, what I should have said was that it
may well work to use newreq.pem as-is for confSERVER_KEY (I haven't
tried that either though:-).

--Per Hedeland
per@hedeland.org