On Wed, Jan 22, 2014 at 03:07:33PM -0500, Ben Johnson wrote:
> I created the certificate with the following command:
>
> $ cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
> /root/ssl/example.com.pem
To verify that the file is well-formed try the below:
openssl crl2pkcs7 -nocrl -certfile /root/ssl/example.com.pem |
openssl pkcs7 -print_certs -text |
less
You should see the verbose decoding of the certificates in the
correct order.
> # TLS parameters
> smtpd_tls_cert_file = /root/ssl/example.com.pem
> smtpd_tls_key_file = /root/ssl/example.com.key
> smtpd_use_tls = yes
>
> But when I attempt to verify the certificate chain, I always receive
> "19:self signed certificate in certificate chain".
There nothing wrong with that, the client did not have a suitable
CAfile or CApath configured. Very few SMTP clients do.
> $ openssl s_client -connect example.com:25 -starttls smtp
No -CAfile or -CApath options in this command-line.
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.com
> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL
> CA 2
> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL
> CA 2
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
This chain is good.
> What might the problem be? Isn't the last certificate in the chain
> *supposed to be* self-signed?
There is no problem.
--
Viktor.
