On 4/18/2014 3:50 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
In the sample command, "server_cert.pem" is a plausible name for a file that holds just the leaf server certificate. While "intermediate_CA.pem" is a plausible name for a file that hold one or more intermediate CA issuer certificates (in the right order).Once of you've concatenated all the certs together into some file, say "mychain.jpg", you should be able to run the rather non-obvious: $ openssl crl2pkcs7 -nocrl -certfile mychain.jpg | openssl pkcs7 -print_certs -noout which outputs something like (here the certificate chain for www.google.com): subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 subject=/C=US/O=Google Inc/CN=Google Internet Authority G2 issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority in which the first "subject" is the target server, and the second "subject" is the "issuer" of the first "subject", the third "subject" is the issuer of the second subject and so on. The last issuer is a "root CA", presumably trusted by the various submission clients you want to support. Above the last "subject" is different from the last "issuer" so this chain does not include the actual root CA, which is generally optional as explained in TLS_README.html. If the chain file looks good, you can rename it to its production name: # mv mychain.jpg /etc/postfix/smtpd-chain.pdf also rename the new key file to its production name (making sure the key is not worl-readable, i.e. owner "root", mode 0400): # mv mykey.pem /etc/postfix/smtpd-key.doc and configure Postfix to use these: smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pdf smtpd_tls_key_file = ${config_directory}/smtpd-key.doc [ You'll probably pick less ridiculous file extensions, but they only enlighten or confuse the human user, the computer does not care. ]
Thanks very much Victor... New certs installed and working well... You're the man!
