FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-16-2010, 04:18 PM
"Daniel B. Thurman"
 
Default /etc/pki certificate questions

I wondered where I can find fedora information regarding
the cert files placed in: /etc/pki directory.

Apparently, there is tls/certs/localhost.pem and tls/private/localhost.key;
are these two files required?

I also noticed that installing certain servers such as sendmail, spamd,
imap, ... creates the pem/crl/key certs, but they contain default (otherwise
incorrect [example.com]) certificate information?

As for sendmail, I cd'd into the certs directory, issued: make sendmail.pem
and enabled the SSL in sendmail.mc file, but apparently, I can no longer
log into sendmail (Thunderbird keeps requesting the password) in order
to send outgoing email messages, so I am wondering if "localhost" is
involved somehow?

I would like to rebuild these [self-signed] certificates so that they
contain
correct servers certificates, notably dovecot, sendmail, spamd,
.... and lastly "localhost", if this is required?

Does anyone recommend a very good site for dealing with the
above issues?

Kind regards,
Dan

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-16-2010, 04:33 PM
Stefano Cavallari
 
Default /etc/pki certificate questions

On Tuesday 16 February 2010 18:18:11 Daniel B. Thurman wrote:

> Does anyone recommend a very good site for dealing with the
> above issues?
>
I don't know any comprehensive site. I usually look at the openssl manpages
and google.

I suggest you to try the free certs at CACert. Even if they are not accepted
by default in some (most?) browsers/clients, you'll learn how to deal with a
real CA.
There are decent instructions in their wiki.

Most of the steps for making certs in Fedora are covered by the makefile in
/etc/pki/tls/certs
so:
cd /etc/pki/tls/certs/
make

If you just want self signed certs, use "make testcert"

Hope this helps.
--
() ascii ribbon campaign - against html e-mail
/ www.asciiribbon.org - against proprietary attachments
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-16-2010, 04:39 PM
Michael Cronenworth
 
Default /etc/pki certificate questions

Daniel B. Thurman wrote:
> Does anyone recommend a very good site for dealing with the
> above issues?

A site is not really required. It can be covered in one email.

I suggest creating a CA for yourself and then creating certs against
that CA. It will make updating your certs easier (unless you just want
to use 10+ year limits on all of your certs).

-Create CA
1. Make a ~/sslcerts, or whatever name you wish, directory.
2. Copy your /etc/pki/tls/openssl.cnf to your local directory. Make
changes to the new copy to match your environment.
3. Create your CA inside of your local directory:
mkdir certs private
touch index.txt
echo 01 > serial
openssl genrsa -out private/local_ca_cert.key 2048
openssl req -config openssl.cnf -new -x509 -days 3650
-key private/local_ca_cert.key -out local_ca_cert.crt -extensions v3_ca
(Change 3650 to however long you want your CA to last)

-Create user certs
Create the user certs from inside the ~/sslcerts directory:
openssl genrsa -out certs/${user}.key 2048
openssl req -config openssl.cnf -new -nodes -out certs/${user}.csr
-key certs/${user}.key
openssl ca -config openssl.cnf -keyfile private/local_ca_cert.key
-cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir
certs -infiles certs/${user}.csr

Rinse and repeat for each $user. Copy the CA public key and user
private/public keys to a directory of your choice (possibly /etc/pki/)
to allow dovecot, httpd, or whatever daemon you wish to deploy TLS to
have access to them.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 10:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org