We use /etc/mail/CA in the examples to follow:
# cd /etc/mail
# mkdir CA CA/certs CA/crl CA/newcerts CA/private
# chmod -R 700 CA/private
# cd CA
Table 5-5. Digital-certificate-issuing sites
Site Description
http://www.verisign.com The original certificate authority
http://www.thawte.com Claims to be the largest
http://www.valicert.com A business-oriented site
http://www.cacert.org/ Is free but rarely recognized
* Some certificate authorities provide signed certificates via secure transport, such as surface delivery of a CD
or floppy disk, with physical signature and identification required.
This is the Title of the Book, eMatter Edition
Copyright ?© 2007 O??™Reilly & Associates, Inc. All rights reserved.
5.3 STARTTLS | 207
For the rest of this discussion, we presume you will be working inside the CA directory;
hence the cd CA in the preceding code. We also presume that the openssl(1) program
is in your path. If it isn??™t, you may need to prefix openssl in the examples that
follow with its full path. For example:
# /usr/local/ssl/bin/openssl .....
Alternatively, you can temporarily modify root??™s path:
# PATH=/usr/local/ssl/bin:$PATH; export PATH
Next, you generate your certificate authority (your CA). You need to do this only
once. We use the req function for OpenSSL (http://www.openssl.org/docs/apps/
req.html) to manage and create certificates:
# echo `01?? > serial
# cp /dev/null index.
Pages:
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395