pem server.cert.pem
# mv key.pem server.key.pem
... create another CA signed cert here
# mv cert.pem client.cert.pem
# mv key.pem client.key.pem
Note that the preceding code generates separate certs for client and server. Note also
that we will use the preceding filenames in the discussions to follow.
5.3.4.2 Revocation lists
Beginning withV8.12 sendmail, OpenSSL version 0.9.7 and later support the ability
to screen certificates against a revocation list. In the preceding section, you created
certificates that possessed a default life of one year. But what happens if you want to
cancel a certificate and replace it with another? For housekeeping purposes, you can
add the canceled certificate to a list of canceled certificates called a ???revocation list.???
For use with sendmail, you may create an empty revocation file withth e following
commands:
# echo "01" > crlnumber
# openssl ca -gencrl -out crl/crl.pem
Later, when you need to add certificates to this file, you may. But in the meantime,
an empty file works just fine for sendmail??™s needs. Visit http://www.openssl.org/docs/
apps/crl.html for additional guidance.
To view your empty revocation list, you may use the following command:
# openssl crl -in crl/crl.pem -noout -text
5.3.4.3 Sources of additional help
There can be much more to the creation and signing of certificates than we show
here.
Pages:
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401