create SSL cert via script
Edward Beranek
eberanek at columbus.rr.com
Wed Jan 4 08:48:47 UTC 2006
Patrick,
Finished doing what you are starting awhile back.
You do have to use -nodes for the CA portion.
Here is a link I found helpful:
http://www.pki-page.org/
After you look at a few, you will discovery that darned near
every certificate out there has some defect. That does not
mean they are broken, just that they are defective.
You might also need to know about the serial numbers.
They are important if you set up the CA correctly.
Downside is that there is still disagreement about a revocation
server and sometimes method. Most all certificate stores use
certificates that have expired. ( I found over 10 expired certificates
upon a new Win XP install. Odd thing about expired certificates,
they still work. Well, not always, let's say mostly.)
One thing I did do on purpose. I made postix use mbox format,
ran a symbolic link between /var/spool/mail/username and the users
home directory. Set up the mailbox file in the users directory, and
one really needs to watch the permissions here.
What this allowed to happen was each user had a disk quota set.
Their email store was in their home directory. mbox format allowed
pine, squirrelmail, pop, and imap to access that file, and their disk
quota kept it honest.
I wanted to use the dir format but it was just not compatible with
everything I wished to accomplish without extra work, or mail handlers.
Pop and imap are limited access to the local domain and localhost,
respectively.
Interesting part is it all works fine. Since there are links it
isn't as fast
as some other setups. I think some of the advantages are good. Only
standard configuration is necessary for most of the servers. (The user
creation needs some tweeking since the username mailbox has to be
replaced with a link in /var/spool/mail, and a mailbox file must be
created
in the user's home directory with special permissions. But that's
about it.)
I did create two certificates. One was the CA certificate, and
the one below
that, which is served by the mail system, and squirrelmail (aka
apache) is
a wildcard certificate. The reason for wildcarding is that I wanted
to have
several aliases for a single ip. Unfortunately, there is no nice way
to do that
since which certificate is used to validate the system name being used
(for instance, webmail.this.domain versus popmail.this domain with
the same ip)
unless multiple ip's are used. (of course virtual names come to mind
as well, but
not for this one at this time).
You probably already know about CA.pl to generate the certificate
authority.
It works if it's tweeked a bit for your use. It at least makes it
easier to generate
the certificates and the revocation file, and keep track of the
serial numbers as
a demonstration of what's needed. Unless you are getting into the
certificate
market, it's good for small usage.
Good luck with your plans. It does work well together. port 587
is better than
the one that some documents use for secure smtp. (Cisco uses that one.)
If you have specific questions, I might be able to help, if I have
some experience
there.
Ed Beranek
Patrick wrote:
> On Tue, 2006-01-03 at 14:57 +0100, Alexander Dalloz wrote:
> Am Di, den 03.01.2006 schrieb Ingo Jochim um 11:05:
>
> How can I create a SSL certificate via script full automated?
>
> Thank you for your help.
> Ingo
>
> You may do it like some (those which ship with a certificate) of the
> Fedora RPMs do during rpmbuild. Following is taken from the OpenLDAP
> .spec:
>
> pushd %{_sysconfdir}/pki/tls/certs
> umask 077
> cat << EOF | make slapd.pem
> --
> SomeState
> SomeCity
> SomeOrganization
> SomeOrganizationalUnit
> localhost.localdomain
> root at localhost.localdomain
> EOF
> chown root:ldap slapd.pem
> chmod 640 slapd.pem
> popd
>
> That's the easy part :) Over the holidays I had a go at Kyle Dent's
> Postfix book and fiddled with setting up Postfix with SMTP AUTH (smtp
> and smtpd) and TLS which obviously needed CA, server and client
> private
> and public certificates and CSRs. Quite challenging. And then there
> was
> Evolution's seemlingly stubborn refusal to do something with those
> certificates that made sense to me. It would be very nice if the CA
> scripts in /etc/pki/tls/misc/ got a little TLC from those in the
> know or
> perhaps even a system-config-certificates. There's a discrepancy
> between
> the CA scripts and the info in the Postfix book and info on the Net:
> both mention that you have to use "-nodes" with the openssl
> command. Yet
> the CA scripts don't use that parameter. And the CA scripts use the
> -x509 parameter while the info in the Postfix book and info on the Net
> don't use it. This doesn't make it any easier so I would welcome and
> appreciate any progress.
>
> Regards,
> Patrick
>
More information about the fedora-list
mailing list