Ok, je reprends donc tout le processus ?
Oui, regarde, moi j’ai réussi :
- Création du certificat d’autorité de certification (les champs Country Name, State or Province Name,
Organization Name , Organizational Unit Name et Common Name doivent être remplis). :
root@localhost:/etc/postfix/tls#/usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
......................................+++
.....................................+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile-de-France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet
Organizational Unit Name (eg, section) []:Internet
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16232910896365154524 (0xe146e2746069b0dc)
Validity
Not Before: Nov 29 13:36:40 2013 GMT
Not After : Nov 28 13:36:40 2016 GMT
Subject:
countryName = FR
stateOrProvinceName = Ile-de-France
organizationName = Internet
organizationalUnitName = Internet
commonName = localhost
X509v3 extensions:
X509v3 Subject Key Identifier:
C3:D0:B8:7B:78:BA:24:B9:A5:B8:19:24:5D:AC:E3:90:7B:A3:C4:63
X509v3 Authority Key Identifier:
keyid:C3:D0:B8:7B:78:BA:24:B9:A5:B8:19:24:5D:AC:E3:90:7B:A3:C4:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 28 13:36:40 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
root@localhost:/etc/postfix/tls#
[mono]2) Création de la clé privé du certificat SSL (les champs Country Name, State or Province Name,
Organization Name , Organizational Unit Name doivent être remplis. Leurs valeurs doivent être strictement
identiques à celles saisies lors de la création du certificat
d’autorité de certification. Sauf pour Common Name qui doit avoir pour valeur le domaine fqdn du serveur mail,
ici par exemple example.com). On utilisera
la même pass phrase à chaque fois :[/mono]
root@localhost:/etc/postfix/tls#openssl req -new -nodes -keyout key.pem -out req.pem -days 36500
Generating a 2048 bit RSA private key
..................................................................................................................................................+++
.......................................................................................+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile-de-France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet
Organizational Unit Name (eg, section) []:Internet
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- enfin, création du cerification ssl. On utilisera la même pass phrase à chaque fois :
root@localhost:/etc/postfix/tls# openssl ca -days 36500 -out cert.pem -infiles req.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16232910896365154525 (0xe146e2746069b0dd)
Validity
Not Before: Nov 29 13:37:15 2013 GMT
Not After : Nov 5 13:37:15 2113 GMT
Subject:
countryName = FR
stateOrProvinceName = Ile-de-France
organizationName = Internet
organizationalUnitName = Internet
commonName = example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
92:B3:D2:84:76:BF:6C:A3:72:14:C7:8A:C4:F5:F6:5A:B8:1A:41:47
X509v3 Authority Key Identifier:
keyid:C3:D0:B8:7B:78:BA:24:B9:A5:B8:19:24:5D:AC:E3:90:7B:A3:C4:63
Certificate is to be certified until Nov 5 13:37:15 2113 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@localhost:/etc/postfix/tls#
root@localhost:/etc/postfix/tls#ls
cert.pem demoCA key.pem req.pem
root@localhost:/etc/postfix/tls#
=> au final j’ai bien la clé privé key.pem et le certificat ssl cert.pem.
- En fin dans main.cf, je met les bons chemins :
#On indique le chemin du certificat ssl :
smtpd_tls_cert_file=/etc/postfix/tls/cert.pem
#On indique le chemin de la clé privé:
smtpd_tls_key_file=/etc/postfix/tls/key.pem
Je n’avais pas lu ton EDIT et j’ai donc tenté à partir du 2e “code”.
L’arrivée n’est pas bonne bien sûr :
À le seconde interrogation, j’ai tapé “entrée” et le “canceled” ne me dit rien de bon, quoi que … ptet parle-t-il de l’ancien qu’il a viré ?
De toutes façons, je dois sortir et je reprendrai les hostilité vers 17 ou 18 H.
[code]Certificate is to be certified until Nov 5 13:50:34 2113 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]
CERTIFICATION CANCELED
[/code]
J’ai réédité mon précédent post.
Recommence la procédure, et aux deux dernière questions, tu tapes y (yes).
Je croyais ne jamais y arriver car en refaisant la première phase, il me renvoyait aussi sec à l’invite.
j’en ai déduit que le certificat d’autorité de certification déjà fait auparavant restait valable et j’ai continué. J’ai pris mon temps pour essayer de ne pas faire de conneries.
Impec, je suis arrivé à la bonne terminaison :
[code]Certificate is to be certified until Nov 5 17:11:41 2113 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[/code]
Rajeuni postfix et dovecot
fait un essai d’envoi à ricardo AT free
demande d’acceptation du certif par Icedove
Pas d’insulte comme dernièrement
Un joli son qui m’annonce l’arrivée d’un mail sur ‘free’
Je vois mon envoi
Tu m’enverras ta facture mais pas trop cher quand même, pour un retraité “bas de game”.
Je peux enfin mettre le résolu sur ce fil mais je vais en conserver le lien.
Un grandddddddddddd MERCI
Je ne comprends pas trop pourquoi vous vous êtes cassés le *** avec un CA alors que pour générer un simple certificat auto-signé il y a bien plus simple :
mais bon si ça fonctionne maintenant tant mieux
Pas de lien direct avec ce qui précède mais rapport indirect.
MAJ de mon ordibureau ce jour et annonce concernant une modification SSL d’où cette info !
[code]libio-socket-ssl-perl (1.961-1) unstable; urgency=low
Upstream version 1.956 introduced the following major behaviour changes:
- BEHAVIOR CHANGE: make default cipher list more secure, especially
- no longer support MD5 by default (broken)
- no longer support anonymous authentication by default (vulnerable to man in
the middle attacks) - prefer ECDHE/DHE ciphers and add necessary ECDH curve and DH keys, so that
it uses by default forward secrecy, if underlying Net::SSLeay/openssl
supports it - move RC4 at the end, e.g. 3DES is preferred (BEAST attack should hopefully
been fixed and now RC4 is considered less safe than 3DES) - default SSL_honor_cipher_order to 1, e.g. when used as server it tries to
get the best cipher even if client preferes other ciphers
PLEASE NOTE that this might break connections with older, less secure
implementations. In this case revert to ‘ALL:!LOW:!EXP:!aNULL’ or so.
- BEHAVIOR CHANGE: SSL_cipher_list now gets set on context not SSL object and
thus gets reused if context gets reused. PLEASE NOTE that using
SSL_cipher_list together with SSL_reuse_ctx has no longer effect on the
ciphers of the context. - rework hostname verification schemes
- BEHAVIOR CHANGE: fix SMTP - now accept wildcards in CN and subjectAltName
- BEHAVIOR CHANGE: fix IMAP, POP3, ACAP, NNTP - now accept wildcards in CN
- BEHAVIOR CHANGE: anywhere wildcards like www* now match only ‘www1’, ‘www2’…
but not ‘www’
:
– Salvatore Bonaccorso carnil@debian.org Wed, 27 Nov 2013 15:34:34 +0100
:
[/code]