Mailinglist Archive: opensuse (1690 mails)

< Previous Next >
[opensuse] openssl gurus - TLS/saslauthd key/cert generation - What's the difference?

Going through howtos on generating TLS keys for saslauthd, I have run across a couple of approaches that leave me thinking "Why in the heck are they even doing that?" Specifically, a majority of the howtos show key generation similar to:

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Why generate smtpd.key anyway if you are not using it?? Why not just do it the way dovecot certs are generated:

openssl req -new -x509 -nodes -config $CFG -out $CERTFILE -keyout $KEYFILE
-days 365

Which is basically the last step in the 5 part process above. I look at the 5 part process and it doesn't make sense. The first 4 openssl calls generate the private key, csr and the self signed certificate. But, then none of that is used in their example when they generate cakey.pem and cacert.pem.

Further, by not using the -nodes, they are generating certs and keys that are password dependent and can potentially cause problems on server start with the system prompting for a password if used for say -- an apache certificate.

Am I reading what the 5 step process is doing correctly? And the fact that the smtpd.key, ,.csr, and .crt have nothing to do with the cakey.pem and cacert.pem files they generate? If so, why even bother with the key, csr and crt when you can create the PKCS#10 (.pem) Self-Signed Certificate and Key in one shot??

I find it much easier just to author a small ssl.cnf file and use:

openssl req -new -x509 -nodes -config $CFG -out $CERTFILE -keyout $KEYFILE
-days 365

saslauthd and TLS seem perfectly happy with that. Any reason not to do it that way? Thanks for any help you can give clearing up this mud...

David C. Rankin, J.D.,P.E.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages