Re: Changing SSL certificates - switching from self-signed to RapidSSL

Fri, 18 Apr 2014 12:23:33 -0700 

On 4/18/2014 3:06 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:

On Fri, Apr 18, 2014 at 02:35:45PM -0400, Charles Marcus wrote:

No.  The correct approach is at:

     http://www.postfix.org/TLS_README.html#server_cert_key

     With legacy public CA trust verification, you can omit the root
     certificate from the "server.pem" certificate file. If the
     client trusts the root CA, it will already have a local copy
     of the root CA certificate. Omitting the root CA certificate
     reduces the size of the server TLS handshake.

        % cat server_cert.pem intermediate_CA.pem > server.pem

Thanks again, Victor, but again, that is all over my head.

The "cat ... " command is too difficult?
No, not at all... I even recall doing that when I first added these years ago.
But I had found a guide, and it apparently was easier (or at least less confusing to me) when using self-signed certs... 

Ok, if you are willing, could you check me?


X.509 certificates come in a few data formats:

     - Binary ASN.1 DER format containing a single certificate.
       Not directly usable by Postfix.

     - ASCII PEM format certificate which is the base64 encoding of the
       above DER form sandwiched between "----BEGIN CERTIFICATE-----" and
       "-----END CERTIFICATE-----" lines.
Ok, the cert I got from RapidSSL was a single cert in the email body, sandwiched between -----BEGIN----- and -----END----- lines.
So, that is the 'ASCII PEM format' cert above, and all I need to do is rename it from .crt to .pem and change the config reference? Or do I even need to rename it? 


     - PEM certificate chain file.  Multiple certificates between
       BEGIN...END lines.  This is what Postfix needs for the server
       certificate, with the leaf (server) certificate first, and
       each issuer directly following its subject certificate.
And this would be the 'Intermediate' cert that I downloaded (it does already have two certs between the BEGIN...END lines)?
Now, my question is, what do you mean by the 'server_crt' in the cat command above?
Would that be the .key file I generated when I generated my new key and CSR I used to order the RapidSSL certs?
Thanks very much Victor, I know this is pretty lame for someone who deals with this stuff at your level... 

--

Best regards,

Charles

Reply via email to