On Fri, Apr 18, 2014 at 03:22:25PM -0400, Charles Marcus wrote:
> >>Thanks again, Victor, but again, that is all over my head.
I suspect more lack of confidence than lack of ability. Be more
daring, take a guess, it'll probably be right.
> > - ASCII PEM format certificate which is the base64 encoding of the
> > above DER form sandwiched between "----BEGIN CERTIFICATE-----" and
> > "-----END CERTIFICATE-----" lines.
>
> Ok, the cert I got from RapidSSL was a single cert in the email body,
> sandwiched between -----BEGIN----- and -----END----- lines.
That's your (leaf) server certificate.
> So, that is the 'ASCII PEM format' cert above, and all I need to do is
> rename it from .crt to .pem and change the config reference? Or do I even
> need to rename it?
You can use any file name you like. Call it "cert.gif" if you
want.
> > - PEM certificate chain file. Multiple certificates between
> > BEGIN...END lines. This is what Postfix needs for the server
> > certificate, with the leaf (server) certificate first, and
> > each issuer directly following its subject certificate.
>
> And this would be the 'Intermediate' cert that I downloaded (it does already
> have two certs between the BEGIN...END lines)?
The above describes any PEM file holding multiple certificates.
If you got multiple issuer certificates from RapidSSL in this
format, that's OK.
>> % cat server_cert.pem intermediate_CA.pem > server.pem
> Now, my question is, what do you mean by the 'server_crt' in the cat command
> above?
In the sample command, "server_cert.pem" is a plausible name for
a file that holds just the leaf server certificate. While
"intermediate_CA.pem" is a plausible name for a file that hold one
or more intermediate CA issuer certificates (in the right order).
Once of you've concatenated all the certs together into some file,
say "mychain.jpg", you should be able to run the rather non-obvious:
$ openssl crl2pkcs7 -nocrl -certfile mychain.jpg |
openssl pkcs7 -print_certs -noout
which outputs something like (here the certificate chain for www.google.com):
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
subject=/C=US/O=Google Inc/CN=Google Internet Authority G2
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
in which the first "subject" is the target server, and the second
"subject" is the "issuer" of the first "subject", the third "subject"
is the issuer of the second subject and so on. The last issuer is
a "root CA", presumably trusted by the various submission clients
you want to support. Above the last "subject" is different from
the last "issuer" so this chain does not include the actual root
CA, which is generally optional as explained in TLS_README.html.
If the chain file looks good, you can rename it to its production
name:
# mv mychain.jpg /etc/postfix/smtpd-chain.pdf
also rename the new key file to its production name (making sure the
key is not worl-readable, i.e. owner "root", mode 0400):
# mv mykey.pem /etc/postfix/smtpd-key.doc
and configure Postfix to use these:
smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pdf
smtpd_tls_key_file = ${config_directory}/smtpd-key.doc
[ You'll probably pick less ridiculous file extensions, but they only
enlighten or confuse the human user, the computer does not care. ]
--
Viktor.
