I have .key file which holds the private key data, .crt file which would be certificate with public key and, to my knowledge, that's it for public key encryption, right?
Not exactly. In order to achieve my goal I must also generate cakey.pem and cacert.pem, which I do not know what they are for.
I have example with setting up TLS with Postfix MTA.
I do:
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crtthese two - smtpd.key and smtpd.crt - are key (private key) and certificate (with public key incorporated).
what is the
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650cakey.pem and cacert.pem files for?
1 Answer
You don’t need a Certificate authority. A self-signed certificate is perfectly valid by itself. Indeed, it is its own CA.
If you want to use a dedicated CA, you need to sign smtpd.crt with the CA instead. CAs are used to establish a chain of trust. If a client trusts a CA, it automatically trusts all certificates signed by it.
Here’s a guide to create a self-signed CA and sign a certificate with it, taken from Parallels:
openssl genrsa -out rootCA.key 2048openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pemopenssl genrsa -out server.key 2048openssl req -new -key server.key -out server.csropenssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 730
