On Thu, Jul 22, 2004 at 05:57:09PM +0200, Lorenzo Conti
wrote:> <html><div
style='background-color:'><!--StartFragment -->Hi
all,<BR>I'm running dovecot from ports tree on OpenBSD 3.5. I'm
also using the script provided to generate a self signed cert (that is
doc/mkcert.sh). After a month by the way the certificate expired and I had to
recreate it again. I saw that in the script there is no explicit certificate
duration specified and then on my system the cert lasted exactly 30 days. As a
short term fix then I deleted the certifacte files and modified the script to
recreate cert that last 365 days changing:<BR><BR>< $OPENSSL
req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE ||
exit 2<BR>---<BR>> $OPENSSL req -new -x509 -nodes -config
$OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit
2<BR><BR><BR>A better solution would of course require that
the duration should have been specified as a parameter but anyway I feel 30 days
are really too short.<BR><BR>Regards,<BR>Lorenzo Conti
<BR>
> <DIV></DIV></div><br clear=all><hr>MSN 8 with
<a href="http://g.msn.com/8HMBEN/2740??PS=47575">e-mail virus
protection service: </a> 2 months FREE*</html>
Er, indeed.
Self-signed certificates are snake oil. A default of 30 days is
quite reasonable, because they shouldn't be used for anything other
than testing. If you need more, perhaps because it's a private
server where you (and only you) will ever have to import the certificate
to trust it, then you should definitely have to do that explicitly.
Joshua.
--
Joshua Goodall "as modern as tomorrow
afternoon"
joshua at roughtrade.net - FW109
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20040723/7a291f11/attachment-0001.bin>