# Edit this file to configure various parameters of the server key and # certificate. This file is included by the main Makefile and hence it # is expected that the file follows the GNUMake syntax. # Most likely all that you need to configure is the target called # restart. The default values for all other parameters and rules will # suffice. However, do go over the entire file before deploying just # in case. # You can also define additional targets here. However avoid the # following targets: key, restart, obliterate, dsa.param, dh.param, # and targets with a prefix help, show and expire # Action to be performed to restart the server. This is the right # place to stick in other commands besides restarting like copying the # private key and certificates to another location, or merging them # into one single file etc. # restart : # /etc/rc.d/postfix restart # /etc/rc.d/lighttpd restart # restart : @ echo WARNING: No restart action defined, server will have to be \ manually restarted @ # Replace the above commands with the actual restart commands # WARNING: Read through the rest of the file and configure it only if # absolutely necessary. Most likely, you would not need to configure # the rest of the file. # Action to be done before key generating before-key : @ echo No pre key-generation operations defined @ # pre keygeneration commands can be put here ######################################################### ### Key parameters ### ######################################################### # The next few parameters configure the key parameters. You dont need # to edit any of these variables. The parameters are chosen to be the # best possible. # What kind of key is to be generated. # WARNING: Firefox 3 seems to have trouble with DSA keys. # So to be safe use RSA keys although DSA probabily would # have been much better. # KEY_TYPE = dsa # possible valuse are rsa or dsa KEY_TYPE = rsa # possible values are rsa or dsa. KEY_SIZE = 2048 # Size of the key in bits. # It is a good idea to keep the key encrypted. However for server # keys, it can be a pain as every restart of the server will require # the key to be typed in. Choose the encryption method here. By # default we use unencrypted keys. In this case make sure that the key # files are not accessable to untrusted user for otherwise the server # will will be compromised. # A passphrase is asked while the key is generated unless you have # choosen the noencrypt option. KEY_ENCRYPT = noencrypt # no encryption # KEY_ENCRYPT = des3 # triple des # KEY_ENCRYPT = idea # IDEA cipher # KEY_ENCRYPT = des # single des ################################################################## ## Diffie-Helmann Parameters ## ################################################################## # The size of the DH-parameters. This imporves the forward security of # the server. This is a one time job but will take some time to # generate. DH_PARAM_SIZE=1024 # Here is the description of all relavant files that might help you # configure the above rules. # (1) private.pem : The private key. Generated by make key. # (2) request.pem : The corresponding request. Generated by make key. # (3) certificate.pem : certificate.pem. This is usually signed by # the server CA. So not generated. # The next set of files are required only in special circumstances # They are never generated and their source are external to the server. # (4) clientCA.pem : Certificate of the CA that signes all authorized # clients. Used for servers that authenticates clients via # X509 certificates. Not generated. # (5) clientCRL.pem : Certificate revocation list of clients. Normally # issued by the client CA. # (6) serverCA.pem : Certificate of the CA that signes other # servers. This is required if the server is a client to # another server. For example consider a postfix server that # relays its mail through another server. Not generated # (7) serverCRL.pem : Certificate revocation list of servers. Normally # issued by the server CA.