Re: Certificates Invalid in Main.cf (Possibly Off Topic'ish)

[Victor Duchovni]

On Mon, Nov 10, 2008 at 06:36:53PM -0500, Carlos Williams wrote:

> On Mon, Nov 10, 2008 at 5:26 PM, Noel Jones <[EMAIL PROTECTED]> wrote:
> > Yes, the FQDN of the server is encoded in the certificate.  If you rename
> > the server, you must get a new certificate (or generate a new one if
> > self-signed).
> >
> > If your existing verisign certificate is a "server" type certificate with
> > the right FQDN, you should be able to use it with postfix.
> 
> My mail server has a Verisign SSL Server Certificate installed which
> Apache is using. Can Postfix use the same certificate?
> 
> I am guessing I just need to change the paths leading to the Verisign
> certificates in my main.cf, right?

Postfix (like apache) needs both a public key certificate and the
corresponding private key. These can be stored in quite a variety
of product dependent ways. The following are supported by Postfix.

    1.
        - Root owned mode 0600 (typically RSA) private key in PEM format
        - Separate, root owned mode 0644 certificate file in PEM format,
          with any intermediate CA certs listed after the server cert,
          depth first.

    2.
        - Root owned mode 0600 (typically RSA) private key in PEM format
          also containing the server cert and any intermediate CA certs
          as above.

The following are NOT supported:

        * Password protected private key

        * Private key or server cert in DER format

        * Server cert trust chain in PKCS#7 file (PEM or DER)

        * Private key and cert trust chain in PKCS#12 file (DER or PEM)

        * Intermediate CA certs stored stored separately, one PEM file
          per CA.

If Apache uses "1" or "2" above, you can share the keys directly, otherwise
you can convert the Apache keys from their native format to "1" or "2".

The conversion utilities are:

        openssl rsa:    private key DER -> PEM
        openssl x509:   certificate DER -> PEM
        openssl pkcs7:  trust chain PKCS7 to PEM trust chain
        openssl pkcs12: key and trust chain -> PEM key and certs

In Windows land, all files are DER (binary ASN.1 not PEM) format and:

        single cert     == .cer file
        PKCS#7 chain    == .spc file
        PKCS#12         == .pfx file

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.