On Thu, Jul 22, 2004 at 05:57:09PM +0200, Lorenzo Conti wrote:

<html><div style='background-color:'><!--StartFragment -->Hi all,<BR>I'm running dovecot from ports tree on OpenBSD 3.5. I'm also using the script provided to generate a self signed cert (that is doc/mkcert.sh). After a month by the way the certificate expired and I had to recreate it again. I saw that in the script there is no explicit certificate duration specified and then on my system the cert lasted exactly 30 days. As a short term fix then I deleted the certifacte files and modified the script to recreate cert that last 365 days changing:<BR><BR>&lt; $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE || exit 2<BR>---<BR>&gt; $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2<BR><BR><BR>A better solution would of course require that the duration should have been specified as a parameter but anyway I feel 30 days are really too short.<BR><BR>Regards,<BR>Lorenzo Conti <BR> <DIV></DIV></div><br clear=all><hr>MSN 8 with <a href="http://g.msn.com/8HMBEN/2740??PS=47575">e-mail virus protection service: </a> 2 months FREE*</html>

Er, indeed.

Self-signed certificates are snake oil. A default of 30 days is quite reasonable, because they shouldn't be used for anything other than testing. If you need more, perhaps because it's a private server where you (and only you) will ever have to import the certificate to trust it, then you should definitely have to do that explicitly.

Joshua.

-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109