[Dovecot] (no subject)
Joshua Goodall
joshua at roughtrade.net
Fri Jul 23 16:07:42 EEST 2004
On Thu, Jul 22, 2004 at 05:57:09PM +0200, Lorenzo Conti wrote:
> <html><div style='background-color:'><!--StartFragment -->Hi all,<BR>I'm running dovecot from ports tree on OpenBSD 3.5. I'm also using the script provided to generate a self signed cert (that is doc/mkcert.sh). After a month by the way the certificate expired and I had to recreate it again. I saw that in the script there is no explicit certificate duration specified and then on my system the cert lasted exactly 30 days. As a short term fix then I deleted the certifacte files and modified the script to recreate cert that last 365 days changing:<BR><BR>< $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE || exit 2<BR>---<BR>> $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2<BR><BR><BR>A better solution would of course require that the duration should have been specified as a parameter but anyway I feel 30 days are really too short.<BR><BR>Regards,<BR>Lorenzo Conti <BR>
> <DIV></DIV></div><br clear=all><hr>MSN 8 with <a href="http://g.msn.com/8HMBEN/2740??PS=47575">e-mail virus protection service: </a> 2 months FREE*</html>
Er, indeed.
Self-signed certificates are snake oil. A default of 30 days is
quite reasonable, because they shouldn't be used for anything other
than testing. If you need more, perhaps because it's a private
server where you (and only you) will ever have to import the certificate
to trust it, then you should definitely have to do that explicitly.
Joshua.
--
Joshua Goodall "as modern as tomorrow afternoon"
joshua at roughtrade.net - FW109
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040723/7a291f11/attachment-0001.bin>
More information about the dovecot
mailing list