What is the role of cakey.pem and cacert.pem in addition to .key and .crt based encryption

You don’t need a Certificate authority. A self-signed certificate is perfectly valid by itself. Indeed, it is its own CA.

If you want to use a dedicated CA, you need to sign smtpd.crt with the CA instead. CAs are used to establish a chain of trust. If a client trusts a CA, it automatically trusts all certificates signed by it.

Here’s a guide to create a self-signed CA and sign a certificate with it, taken from Parallels:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 730

Daniel B

Posted 2014-04-26T09:21:15.580

Reputation: 40 502

I think I do need CA. If I, for example, omit to specify smtpd_tls_CAfile, it wont work. here is reference

– greenV – 2014-04-26T09:40:28.650

Well, the guide is broken. The way the certificates are generated, they have no relation whatsoever. I’ll edit the post to include a guide from Parallels. – Daniel B – 2014-04-26T09:53:41.797

true for broken guide and also for generating CA. Thank you! – greenV – 2014-04-26T18:09:28.787

What is the role of cakey.pem and cacert.pem in addition to .key and .crt based encryption

Answers