BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Delivering mail to folders
- Subject: [Discuss] Delivering mail to folders
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- Date: Tue, 2 Feb 2016 12:31:11 +0000
- In-reply-to: <CA+h9Qs754TkOD7Kj_xa0d2FQ+7epjHpR7R2ZWt5iuC6za7wPXg@mail.gmail.com>
- References: <56AE7E30.8000002@thekramers.net> <BY2PR04MB18423BE3482CCEA9254F8560DCDD0@BY2PR04MB1842.namprd04.prod.outlook.com> <56AE96AD.2090105@thekramers.net> <BY2PR04MB184227277919A01002E80C12DCDE0@BY2PR04MB1842.namprd04.prod.outlook.com> <56AFA61E.6000103@gmail.com> <BY2PR04MB1842E972934371DD6D763C24DCDE0@BY2PR04MB1842.namprd04.prod.outlook.com> <CA+h9Qs754TkOD7Kj_xa0d2FQ+7epjHpR7R2ZWt5iuC6za7wPXg@mail.gmail.com>
> From: jabr at gapps.blu.org [mailto:jabr at gapps.blu.org] On Behalf Of John > Abreau > > Apparently I've been doing it "wrong" all these years. I've always created my > own CA and signed my certificates with it, and I thought that's what the term > "self-signed" meant. That's the opposite of "doing it wrong." If you create a CA, for example by a process like this: http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php in which you have a CA root private key, which signs itself as a CA, and you keep that directory full of files sitting around someplace secure, and the root private key is used only for signing certs (is not used directly as a website cert), and you generate a different private key for each website cert, and then you install the CA root cert (with public key) into the trusted root store of your clients... Then you've done it exactly right. (Assuming proper implementation choices, such as key length and stuff like that). But this process is complex enough that very few people do it, especially when you can get free certs from a publicly recognized CA. When people say they have a webserver with a self-signed cert, in virtually all cases, that means they followed a process like this (the top result I got by searching for "generate self signed certificate"): http://www.akadia.com/services/ssh_test_certificate.html In this process, you generate a key, and use that key to sign a certificate of itself. There was never any CA. A good clue to look for is whether or not the "openssl ca" command was used, and if the CA root cert is separate and distinct from the server cert. The CA root private key should never exist on any of the servers. It should be air-gapped, encrypted, kept in a bank vault.
- Follow-Ups:
- [Discuss] Delivering mail to folders
- From: jabr at blu.org (John Abreau)
- [Discuss] Delivering mail to folders
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Delivering mail to folders
- References:
- [Discuss] Delivering mail to folders
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Delivering mail to folders
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] Delivering mail to folders
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Delivering mail to folders
- From: jabr at blu.org (John Abreau)
- [Discuss] Delivering mail to folders
- Prev by Date: [Discuss] Delivering mail to folders
- Next by Date: [Discuss] Delivering mail to folders
- Previous by thread: [Discuss] Delivering mail to folders
- Next by thread: [Discuss] Delivering mail to folders
- Index(es):