foobar: ~ $ ./tls-mkdir.sh

*******************************************
Making CA directories (Certificate authority)
*******************************************
35. Make a Certificate Authority, type carefully in these steps. Set your
Common Name to the fully qualified hostname of your mailserver and make
sure the IP it is using matches forward and reverse or some mail clients
will continually complain.
*******************************************
Enter the details for your Certifcate Authority (CA)
*******************************************
Your common name is foobar.ledge.co.za
+ openssl req -config openssl.cnf -new -x509 -days 365 -keyout myca/private/cakey.pem -out myca/cacert.pem
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
.................................++++++
...............................++++++
writing new private key to 'myca/private/cakey.pem'
Enter PEM pass phrase: hello
Verifying password - Enter PEM pass phrase: hello
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: ZA
State or Province Name (full name) [Some-State]: Gauteng
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: ledge.co.za CA
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [foobar.ledge.co.za]:
Email Address []:
+ set +x
36. Make a new certificate
*******************************************
Enter the details for your server certificate
*******************************************
+ openssl req -config openssl.cnf -new -x509 -days 365 -keyout myca/private/mailkey.pem -out myca/private/mailkey.pem -nodes
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
..........++++++
.............................................++++++
writing new private key to 'myca/private/mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: ZA
State or Province Name (full name) [Some-State]: Gauteng
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: ledge.co.za mail server
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [foobar.ledge.co.za]:
Email Address []:
+ set +x
37. Sign the new certificate
*******************************************
Sign the certificate you have created with your CA key
*******************************************
+ openssl x509 -x509toreq -in myca/private/mailkey.pem -signkey myca/private/mailkey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
+ openssl ca -config openssl.cnf -policy policy_anything -out myca/certs/mailcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter PEM pass phrase: hello
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'ZA'
stateOrProvinceName   :PRINTABLE:'Gauteng'
organizationName      :PRINTABLE:'ledge.co.za mail server'
commonName            :PRINTABLE:'foobar.ledge.co.za'
Certificate is to be certified until Jan 22 16:43:21 2003 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
+ set +x
38. chmod 600 private/*
*******************************************
Overwriting SSL cert in /usr/ssl/myca: copying myca to /usr/ssl
*******************************************
+ cp -r myca /usr/ssl
cp: cannot create regular file `/usr/ssl/myca/private/cakey.pem': Permission denied
cp: cannot create regular file `/usr/ssl/myca/private/mailkey.pem': Permission denied
cp: cannot create regular file `/usr/ssl/myca/newcerts/01.pem': Permission denied
cp: cannot create regular file `/usr/ssl/myca/cacert.pem': Permission denied
cp: cannot create regular file `/usr/ssl/myca/index.txt': Permission denied
cp: cannot create regular file `/usr/ssl/myca/serial.old': Permission denied
cp: cannot create regular file `/usr/ssl/myca/index.txt.old': Permission denied
cp: cannot create regular file `/usr/ssl/myca/certs/mailcert.pem': Permission denied
cp: cannot create regular file `/usr/ssl/myca/serial': Permission denied
+ set +x
*******************************************
You must add these lines to your .mc file for STARTLS to work:
*******************************************

define(`CERT_DIR', `/usr/ssl/myca/certs')dnl
define(`KEY_DIR', `/usr/ssl/myca/private')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/../cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
define(`confSERVER_KEY', `KEY_DIR/mailkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
define(`confCLIENT_KEY', `KEY_DIR/mailkey.pem')dnl