Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Delivering mail to folders

Yes, that's why I put the word "wrong" in quotes.

That's basically the procedure I use. More precisely, I use the scripts for
this that came bundled with OpenVPN 2.x.

I keep the keys on a separate, non-networked machine at home, on an
encrypted partition that I only mount when working with keys, and I copy
the generated keys and certificates via usb thumb drive to their final

I also maintain a revocation list, which mostly gets used for renewing
expiring certificates; I revoke the expiring certificate and then generate
a new one with the same id.

On Tue, Feb 2, 2016 at 7:31 AM, Edward Ned Harvey (blu) <blu at>

> > From: jabr at [mailto:jabr at] On Behalf Of John
> > Abreau
> >
> > Apparently I've been doing it "wrong" all these years. I've always
> created my
> > own CA and signed my certificates with it, and I thought that's what the
> term
> > "self-signed" meant.
> That's the opposite of "doing it wrong."
> If you create a CA, for example by a process like this:
> in which you have a CA root private key, which signs itself as a CA, and
> you keep that directory full of files sitting around someplace secure, and
> the root private key is used only for signing certs (is not used directly
> as a website cert), and you generate a different private key for each
> website cert, and then you install the CA root cert (with public key) into
> the trusted root store of your clients... Then you've done it exactly
> right. (Assuming proper implementation choices, such as key length and
> stuff like that). But this process is complex enough that very few people
> do it, especially when you can get free certs from a publicly recognized CA.
> When people say they have a webserver with a self-signed cert, in
> virtually all cases, that means they followed a process like this (the top
> result I got by searching for "generate self signed certificate"):
>  In this
> process, you generate a key, and use that key to sign a certificate of
> itself. There was never any CA.
> A good clue to look for is whether or not the "openssl ca" command was
> used, and if the CA root cert is separate and distinct from the server
> cert. The CA root private key should never exist on any of the servers. It
> should be air-gapped, encrypted, kept in a bank vault.
> _______________________________________________
> Discuss mailing list
> Discuss at

John Abreau / Executive Director, Boston Linux & Unix
Email jabr at / WWW / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /