summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2002-10-21 16:29:15 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2002-10-21 16:29:15 +0000
commitaf87f423461805e2fa4fd6c95af73a4417d0172c (patch)
treeb7e37c24df08c2038aaf7e2a2008076a16c631aa /share/man
parent0b7a6f7a73b5ea695f5c0bb4e11019c4111d617b (diff)
o Add "-days 365" to the examples (default lifetime is 1 month).
o Add an example showing how to make a new cert w/o a new key. o Mention how to dump a cert in text format.
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man8/starttls.834
1 files changed, 31 insertions, 3 deletions
diff --git a/share/man/man8/starttls.8 b/share/man/man8/starttls.8
index 3b2853e39b0..20ca2bac8bf 100644
--- a/share/man/man8/starttls.8
+++ b/share/man/man8/starttls.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: starttls.8,v 1.4 2002/10/14 14:48:13 millert Exp $
+.\" $OpenBSD: starttls.8,v 1.5 2002/10/21 16:29:14 millert Exp $
.Dd January 11, 2002
.Dt STARTTLS 8
.Sh NAME
@@ -38,9 +38,14 @@ The client then begins the TLS portion of the ESMTP session by issuing
the command
.Dq STARTTLS .
The remaining portion of the ESMTP session occurs over a TLS channel.
-.Ss Creating a certificate for sendmail
+.Ss Creating a private key and certificate for sendmail
This example assumes you are creating your own self-signed certificates
for use with sendmail and STARTTLS.
+If you have an existing private key and you simply wish to generate
+a new certificate (for example, if your old certificate has expired),
+see the section entitled
+.Sx "Creating a certificate with an existing private key" .
+.Pp
For the purposes of this example the certificates will be stored in
.Pa /etc/mail/certs ,
though it is possible to use a different directory if needed.
@@ -69,10 +74,14 @@ Once you have the
parameters generated, you can generate a certificate
and unencrypted private key using the command:
.Bd -literal -offset indent -width Ds
-# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\
+# openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \\
-out /etc/mail/certs/mycert.pem -keyout /etc/mail/certs/mykey.pem
.Ed
.Pp
+You may adjust the lifetime of the certificate via the
+.Fl days
+parameter (one year in this example).
+.Pp
Make sure to leave the private key files unencrypted, using the
.Fl nodes
option.
@@ -80,6 +89,12 @@ Otherwise,
.Xr sendmail 8
will be unable to initiate TLS server functions.
.Pp
+You can verify that the newly-generated certificate has correct information
+with the following command:
+.Bd -literal -offset indent -width Ds
+# openssl x509 -in /etc/mail/certs/mycert.pem -text
+.Ed
+.Pp
If don't intend to use TLS for authentication (and if you are using
self-signed certificates you probably don't) you can simply link
your new key to
@@ -108,6 +123,19 @@ A simple way to ensure this is to run the following:
.Bd -literal -offset indent -width Ds
# chmod -R go-rwx /etc/mail/certs
.Ed
+.Ss Creating a certificate with an existing private key
+This example assumes you already have an existing private key,
+.Pa /etc/mail/certs/mykey.pem .
+You can generate a new certificate based on this key using the command:
+.Bd -literal -offset indent -width Ds
+# openssl req -x509 -new -days 365 -key /etc/mail/certs/mykey.pem \\
+ -out /etc/mail/certs/mycert.pem
+# chmod 600 /etc/mail/certs/mycert.pem
+.Ed
+.Pp
+You may adjust the lifetime of the certificate via the
+.Fl days
+parameter (one year in this example).
.Ss Configuring sendmail to utilize TLS
The global sendmail configuration files,
.Pa /etc/mail/sendmail.cf