On Thu, Jan 13, 2011 at 07:06:48PM -0500, Victor Duchovni wrote:
> > # Export certificate
> > openssl pkcs12 -in original.pfx -out hsserver01.cer -nodes
>
> This takes in PKCS12 and outputs an unencrypted PKCS12. Not a good idea,
> your private key is compomised, unless your umask was 077.
Oops, while the "umask 077" is indeed required, this does produce a PEM
file with a usable key and certificate, provided the OpenSSL library
behind the pkcs12 command is not substantially newer than the one Postfix
is linked with. If the command is from OpenSSL 1.0.0, it will generate
a new-style PKCS#8 "generic" private key, while Postfix linked against
0.9.8 will probably want an RSA key.
You may need to run "openssl rsa" to convert this to an RSA key, which
then needs to replace the
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
with:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
--
Viktor.
