On Fri, Apr 05, 2013 at 11:06:16AM -0400, Peter L. Berghold wrote:
> On Fri, Apr 05, 2013 at 10:57:42AM -0400, Vitaly Tskhovrebov wrote:
> > Include intermediary certs in your chain.
>
> I think I have... what I did was get their ca.cert via a wget and then I
> manually downloaded their Class 1 Intermediate Server CA and their
> Class 2 Intermediate Server CA and added those to the bundle file.
>
> Maybe I have to grab Class3 and Extended Validation as well?
>
> I also wonder about the client intermediate certs but am doubtful I
> need those as well.
http://www.postfix.org/TLS_README.html#server_cert_key
The right place to put intermediate certificates is in the server
certificate file. Not just any random collection of such certificates,
but the particular ones that issued your server certificate.
smtpd.pem:
---BEGIN CERTIFICATE---
base-64 line-noise for your certificate "S"
---END CERTIFICATE---
---BEGIN CERTIFICATE---
base-64 line-noise for the issuing "I1" of your server certificate "S"
---END CERTIFICATE---
---BEGIN CERTIFICATE---
base-64 line-noise for the issuing "I2" of CA certificate "I1"
---END CERTIFICATE---
...
---BEGIN CERTIFICATE---
base-64 line-noise for the issuing "I<N>" of CA certificate "I<N-1>"
---END CERTIFICATE---
The certificate I<N> should either be a root CA, or an immediate
child of a root CA. With RFC 6698 (DANE TLSA) if you some day want
to publish the digest of your preferred root CA via DNS, you must
include the root CA in your trust chain. Otherwise, with legacy
public CA public, the verifier is expected to already have the root
CA certificate in hand.
--
Viktor.
