Difference between revisions of "self-signed certificate"
Jump to navigation
Jump to search
(Created page with "category:SSL ==About== A self-signed certificate is useful in some circumstances where you need the security of SSL encryption, but do not nee...") |
(unsolved) |
||
Line 9: | Line 9: | ||
*** <code>openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem</code> | *** <code>openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem</code> | ||
*** I ran all the steps up to that point, but then got errors trying to execute it -- until I repointed openssl.cnf to my pre-existing .crt and .key files. | *** I ran all the steps up to that point, but then got errors trying to execute it -- until I repointed openssl.cnf to my pre-existing .crt and .key files. | ||
+ | |||
+ | Even after that, though, [[sendmail]] still refused to provide [[STARTTLS]] service (despite giving no error messages when loading the configuration).[[category:unsolved]] |
Latest revision as of 21:53, 24 March 2015
About
A self-signed certificate is useful in some circumstances where you need the security of SSL encryption, but do not need certification by a third party.
How to
- Very brief introduction to create a CA and a CERT
- If
/usr/local/openssl/openssl.cnf.sample
does not exist on your system, you can get a copy from MIT. - What needs to be changed is mainly the file locations under
[ CA_default ]
. They seem to presume that you will be executing commands from outside the CA folder, which doesn't work. - If you've already got a .key (private key file) and a .crt (certificate file) generated from that key, it looks like you can configure openssl.cnf to point to them and then skip straight to the penultimate command:
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
- I ran all the steps up to that point, but then got errors trying to execute it -- until I repointed openssl.cnf to my pre-existing .crt and .key files.
- If
Even after that, though, sendmail still refused to provide STARTTLS service (despite giving no error messages when loading the configuration).