[Discuss] Delivering mail to folders

[jabr at blu.org (John Abreau)]

Yes, that's why I put the word "wrong" in quotes.

That's basically the procedure I use. More precisely, I use the scripts for
this that came bundled with OpenVPN 2.x.

I keep the keys on a separate, non-networked machine at home, on an
encrypted partition that I only mount when working with keys, and I copy
the generated keys and certificates via usb thumb drive to their final
destinations.

I also maintain a revocation list, which mostly gets used for renewing
expiring certificates; I revoke the expiring certificate and then generate
a new one with the same id.


On Tue, Feb 2, 2016 at 7:31 AM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:

> > From: jabr at gapps.blu.org [mailto:jabr at gapps.blu.org] On Behalf Of John
> > Abreau
> >
> > Apparently I've been doing it "wrong" all these years. I've always
> created my
> > own CA and signed my certificates with it, and I thought that's what the
> term
> > "self-signed" meant.
>
> That's the opposite of "doing it wrong."
>
> If you create a CA, for example by a process like this:
> http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
> in which you have a CA root private key, which signs itself as a CA, and
> you keep that directory full of files sitting around someplace secure, and
> the root private key is used only for signing certs (is not used directly
> as a website cert), and you generate a different private key for each
> website cert, and then you install the CA root cert (with public key) into
> the trusted root store of your clients... Then you've done it exactly
> right. (Assuming proper implementation choices, such as key length and
> stuff like that). But this process is complex enough that very few people
> do it, especially when you can get free certs from a publicly recognized CA.
>
> When people say they have a webserver with a self-signed cert, in
> virtually all cases, that means they followed a process like this (the top
> result I got by searching for "generate self signed certificate"):
> http://www.akadia.com/services/ssh_test_certificate.html  In this
> process, you generate a key, and use that key to sign a certificate of
> itself. There was never any CA.
>
> A good clue to look for is whether or not the "openssl ca" command was
> used, and if the CA root cert is separate and distinct from the server
> cert. The CA root private key should never exist on any of the servers. It
> should be air-gapped, encrypted, kept in a bank vault.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6