Re: Changing SSL certificates - switching from self-signed to RapidSSL

Fri, 18 Apr 2014 12:07:22 -0700 

On Fri, Apr 18, 2014 at 02:35:45PM -0400, Charles Marcus wrote:

> I don't even know the difference between a .pem and .crt, and definitaly
> don't have a clue when iti comes to chainming certs or anything.

Those are just file names.  File extensions having meaning is a CP/M and
Windows concept.  X.509 certificates come in a few data formats:

    - Binary ASN.1 DER format containing a single certificate.
      Not directly usable by Postfix.

    - ASCII PEM format certificate which is the base64 encoding of the
      above DER form sandwiched between "----BEGIN CERTIFICATE-----" and
      "-----END CERTIFICATE-----" lines.

    - PEM certificate chain file.  Multiple certificates between
      BEGIN...END lines.  This is what Postfix needs for the server
      certificate, with the leaf (server) certificate first, and
      each issuer directly following its subject certificate.

    - PKCS#7 binary ASN.1 container of multiple certificates.  Not
      directly usable by Postfix.

    - PKCS#12 binary password protected ASN.1 container of a private
      key and associated certificates.  Not directly usable by Postfix.

> >     http://www.postfix.org/TLS_README.html#server_cert_key
> 
> Thanks, but, honestly, that is all over my head...

You concatenate the server and issuer certificate (both MUST be in
PEM format) into a single file.

        -----BEGIN CERTIFICATE-----
        ... server certificate line noise ...
        -----END CERTIFICATE-----

        -----BEGIN CERTIFICATE-----
        ... issuer (intermediate) CA certificate line noise ...
        -----END CERTIFICATE-----

        -----BEGIN CERTIFICATE-----
        ... issuer of above CA certificate line noise ...
        -----END CERTIFICATE-----

        ...

        -----BEGIN CERTIFICATE-----
        ... certificate issued by self-signed root CA ...
        -----END CERTIFICATE-----

> >No.  The correct approach is at:
> >
> >     http://www.postfix.org/TLS_README.html#server_cert_key
> >
> >     With legacy public CA trust verification, you can omit the root
> >     certificate from the "server.pem" certificate file. If the
> >     client trusts the root CA, it will already have a local copy
> >     of the root CA certificate. Omitting the root CA certificate
> >     reduces the size of the server TLS handshake.
> >
> >     % cat server_cert.pem intermediate_CA.pem > server.pem
>
> Thanks again, Victor, but again, that is all over my head.

The "cat ... " command is too difficult?

-- 
        Viktor.

Reply via email to