# umask 0066
# openssl req -nodes -new -x509 -keyout key.pem -out newcert.pem
The preceding command creates a certificate for use with sendmail. It is unsigned
and still needs to be signed by the CA, which we will do next. Like the previous step,
this creates a key (which may be a long process) and then prompts you for X.509
information. Fill in that information as you did earlier.
The last step is to sign the new sendmail certificate (called newcert.pem), which
requires two commands. The first command generates a certificate request:
# openssl x509 -x509toreq -in newcert.pem -signkey key.pem -out csr.pem
Getting request Private Key
Generating certificate request
The second command uses the CA cert key in private/cakey.pem to sign the
newcert.pem certificate. The request for the signature is in the csr.pem file we created
earlier (where csr stands for Certificate Signing Request):
# openssl ca -policy policy_anything -out cert.pem -infiles csr.pem
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 2 18:05:01 2007 GMT
Not After : Feb 2 18:05:01 2008 GMT
Subject:
countryName = US
stateOrProvinceName = California
localityName = Emeryville
organizationName = your domain
commonName = mail.your.domain
emailAddress = you@your.domain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
This is the Title of the Book, eMatter Edition
Copyright ?© 2007 O??™Reilly & Associates, Inc.
Pages:
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398