create SSL cert via script

Edward Beranek eberanek at columbus.rr.com
Wed Jan 4 08:48:47 UTC 2006 

Patrick,
   Finished doing what you are starting awhile back.
You do have to use -nodes for the CA portion.
Here is a link I found helpful:
http://www.pki-page.org/

After you look at a few, you will discovery that darned near
every certificate out there has some defect.  That does not
mean they are broken, just that they are defective.

You might also need to know about the serial numbers.
They are important if you set up the CA correctly.

Downside is that there is still disagreement  about a revocation
server and sometimes method.  Most all certificate stores use
certificates that have expired.  ( I found over 10 expired certificates
upon a new Win XP install.  Odd thing about expired certificates,
they still work.  Well, not always, let's say mostly.)

One thing I did do on purpose.  I made postix use mbox format,
ran a symbolic link between /var/spool/mail/username and the users
home directory.  Set up the mailbox file in the users directory, and
one really needs to watch the permissions here.
   What this allowed to happen was each user had a disk quota set.
Their email store was in their home directory.  mbox format allowed
pine, squirrelmail, pop, and imap to access that file, and their disk
quota kept it honest.
   I wanted to use the dir format but it was just not compatible with
everything I wished to accomplish without extra work, or mail handlers.
Pop and imap are limited access to the local domain and  localhost,  
respectively.

   Interesting part is it all works fine.  Since there are links it  
isn't as fast
as some other setups.  I think some of the advantages are good.  Only
standard configuration is necessary for most of the servers.  (The user
creation needs some tweeking since the username mailbox has to be
replaced with a link in /var/spool/mail, and a mailbox file must be  
created
in the user's home directory with special permissions.  But that's  
about it.)

   I did create two certificates.  One was the CA certificate, and  
the one below
that, which is served by the mail system, and squirrelmail (aka  
apache) is
a wildcard certificate.  The reason for wildcarding is that I wanted  
to have
several aliases for a single ip.  Unfortunately, there is no nice way  
to do that
since which certificate is used to validate the system name being used
(for instance, webmail.this.domain  versus popmail.this domain with  
the same ip)
unless multiple ip's are used.  (of course virtual names come to mind  
as well, but
not for this one at this time).

   You probably already know about CA.pl to generate the certificate  
authority.
It works if it's tweeked a bit for your use.  It at least makes it  
easier to generate
the certificates and the revocation file, and keep track of the  
serial numbers as
a demonstration of what's needed.  Unless you are getting into the  
certificate
market, it's good for small usage.

   Good luck with your plans.  It does work well together.  port 587  
is better than
the one that some documents use for secure smtp.  (Cisco uses that one.)

If you have specific questions, I might be able to help, if I have  
some experience
there.

Ed Beranek


Patrick wrote:

> On Tue, 2006-01-03 at 14:57 +0100, Alexander Dalloz wrote:
> Am Di, den 03.01.2006 schrieb Ingo Jochim um 11:05:
>
> How can I create a SSL certificate via script full automated?
>
> Thank you for your help.
> Ingo
>
> You may do it like some (those which ship with a certificate) of the
> Fedora RPMs do during rpmbuild. Following is taken from the OpenLDAP
> .spec:
>
> pushd %{_sysconfdir}/pki/tls/certs
> umask 077
> cat << EOF | make slapd.pem
> --
> SomeState
> SomeCity
> SomeOrganization
> SomeOrganizationalUnit
> localhost.localdomain
> root at localhost.localdomain
> EOF
> chown root:ldap slapd.pem
> chmod 640 slapd.pem
> popd
>
> That's the easy part :) Over the holidays I had a go at Kyle Dent's
> Postfix book and fiddled with setting up Postfix with SMTP AUTH (smtp
> and smtpd) and TLS which obviously needed CA, server and client  
> private
> and public certificates and CSRs. Quite challenging. And then there  
> was
> Evolution's seemlingly stubborn refusal to do something with those
> certificates that made sense to me. It would be very nice if the CA
> scripts in /etc/pki/tls/misc/ got a little TLC from those in the  
> know or
> perhaps even a system-config-certificates. There's a discrepancy  
> between
> the CA scripts and the info in the Postfix book and info on the Net:
> both mention that you have to use "-nodes" with the openssl  
> command. Yet
> the CA scripts don't use that parameter. And the CA scripts use the
> -x509 parameter while the info in the Postfix book and info on the Net
> don't use it. This doesn't make it any easier so I would welcome and
> appreciate any progress.
>
> Regards,
> Patrick
>

More information about the fedora-list mailing list