0

I wonder if it is okay to generate a key pair (.key and .cert files) for DKIM like this:

openssl req -newkey rsa:2048 -sha256 -x509 -nodes -days 3650 -keyout dkim-rsa.key -out dkim-rsa.cert

By reading RFC 6376 I can see that standards only demand RSA algorythm sha256 and maximum length of 2048. Are there any other recommenrdations that you would have for me before I create the keys?

Community
  • 1
71GA
  • 363
  • 1
  • 3
  • 10

1 Answers1

3

With DKIM you don't create an X.509 certificate, but just private and public keys:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

As the public key is not given in the message but fetched from the DNS it doesn't require the additional features of an X.509 certificate.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Could you elaborate a bit more on this sentance: "As the public key is not given in the message but fetched from the DNS it doesn't require the additional features of an X.509 certificate." – 71GA Dec 30 '20 at 07:37
  • 1
    It doesn't require to be signed by a PKI like e.g. TLS certificates, as the DNS is it's PKI. If you need a stronger PKI for your DKIM, you could protect your DNS zone with DNSSEC. – Esa Jokinen Dec 31 '20 at 13:56
  • Ah! So I can treat DNS as a CA (not trusted), but if I use DNSSEC DNS is like a trusted CA? – 71GA Dec 31 '20 at 14:14
  • 1
    It's similar PKI, but unlike with TLS it's not based on multiple independent root CAs that all can issue certificates for any hostname. – Esa Jokinen Jan 01 '21 at 11:49