What is the role of cakey.pem and cacert.pem in addition to .key and .crt based encryption
You don’t need a Certificate authority. A self-signed certificate is perfectly valid by itself. Indeed, it is its own CA.
If you want to use a dedicated CA, you need to sign smtpd.crt
with the CA instead. CAs are used to establish a chain of trust. If a client trusts a CA, it automatically trusts all certificates signed by it.
Here’s a guide to create a self-signed CA and sign a certificate with it, taken from Parallels:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 730
Related videos on Youtube
greenV
Updated on September 18, 2022Comments
-
greenV over 1 year
I have
.key
file which holds the private key data,.crt
file which would be certificate with public key and, to my knowledge, that's it for public key encryption, right?Not exactly. In order to achieve my goal I must also generate cakey.pem and cacert.pem, which I do not know what they are for.
I have example with setting up TLS with Postfix MTA.
I do:
openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
these two - smtpd.key and smtpd.crt - are key (private key) and certificate (with public key incorporated).
what is the
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
cakey.pem and cacert.pem files for?
-
greenV about 10 yearsI think I do need CA. If I, for example, omit to specify smtpd_tls_CAfile, it wont work. here is reference
-
Daniel B about 10 yearsWell, the guide is broken. The way the certificates are generated, they have no relation whatsoever. I’ll edit the post to include a guide from Parallels.
-
greenV about 10 yearstrue for broken guide and also for generating CA. Thank you!