# SSL certs for postfix

## quereguilla

hi,

i've executed this to generate ssl certs:

```

# cd misc

# ./CA.pl -newreq-nodes

# ./CA.pl -newca

# ./CA.pl -sign

```

all is fine, this is the output:

```

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 24 14:51:11 2011 GMT

            Not After : Aug 23 14:51:11 2014 GMT

        Subject:

            countryName               = ES

            stateOrProvinceName       = *******

            organizationName          = *******

            organizationalUnitName    = *******

            commonName                = ***********

            emailAddress              = ************

        X509v3 extensions:

            X509v3 Subject Key Identifier: 

                *********************************************

            X509v3 Authority Key Identifier: 

                ***************************************

            X509v3 Basic Constraints: 

                CA:TRUE

Certificate is to be certified until Aug 23 14:51:11 2014 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

```

but now, there isn't a generated file called newcert.pem in /etc/ssl/misc... where is newcert.pem ? is /etc/ssl/misc/demoCA/newcerts/01.pem the "newcert.pem" mentioned in this guide http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5 ?

----------

## quereguilla

 *Veldrin wrote:*   

> according to the script, it should place all newcert.* files in the current folder (from where you were calling the script).
> 
> and if I understood correctly, this should be in /etc/ssl/misc/.
> 
> HTH
> ...

 

yeah, but.. it isn't.

anyway... i've just read this:

```

A copy of newcert.pem is placed in newcerts/ with an adequate entry in index.txt so that a client can request this information via a web server to ensure the authenticity of the certificate
```

is demoCA/newcerts/01.pem an equivalent of newcert.pem ?

it's similar than this: http://www-uxsup.csx.cam.ac.uk/~jw35/comodo-certificates/ComodoUTNSGCCA.crt.txt

----------

## chiefbag

Try the following method:

```
# cd /etc/postfix

# /etc/ssl/misc/CA.pl -newca
```

Enter the required info for example below:

countryName               = IE

stateOrProvinceName       = Co

organizationName          = Company Ltd

commonName                = bla-bla1.com

emailAddress              = bla-bla1.com

Locality Name (eg, city) []:Some town

```
# openssl req -new -nodes -subj '/CN=bla-bla1.com/O=Company Ltd/C=IE/ST=Co/L=Some town/emailAddress=bla-bla1.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650

# openssl ca -out FOO-cert.pem -infiles FOO-req.pem

# cp demoCA/cacert.pem .

# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem

# chmod 400 /etc/postfix/FOO-key.pem
```

----------

## gilamonster

OP, I'm having the exact same issue.

Did you figure this out?

----------

## chiefbag

Why doesn't someone of you try my method and mark this thread solved once it works?

Obviously when you don't specify the name of the out file its going to be different, and sequentially different for that matter on each run.

----------

