Re: Changing SSL certificates - switching from self-signed to RapidSSL

Fri, 18 Apr 2014 14:01:53 -0700 

On 4/18/2014 3:50 PM, Viktor Dukhovni <[email protected]> wrote:

In the sample command, "server_cert.pem" is a plausible name for
a file that holds just the leaf server certificate.  While
"intermediate_CA.pem" is a plausible name for a file that hold one
or more intermediate CA issuer certificates (in the right order).

Once of you've concatenated all the certs together into some file,
say "mychain.jpg", you should be able to run the rather non-obvious:

    $ openssl crl2pkcs7 -nocrl -certfile mychain.jpg |
        openssl pkcs7 -print_certs -noout

which outputs something like (here the certificate chain for www.google.com):

     subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
     issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

     subject=/C=US/O=Google Inc/CN=Google Internet Authority G2
     issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

     subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

in which the first "subject" is the target server, and the second
"subject" is the "issuer" of the first "subject", the third "subject"
is the issuer of the second subject and so on.  The last issuer is
a "root CA", presumably trusted by the various submission clients
you want to support.  Above the last "subject" is different from
the last "issuer" so this chain does not include the actual root
CA, which is generally optional as explained in TLS_README.html.

If the chain file looks good, you can rename it to its production
name:

     # mv mychain.jpg /etc/postfix/smtpd-chain.pdf

also rename the new key file to its production name (making sure the
key is not worl-readable, i.e. owner "root", mode 0400):

     # mv mykey.pem /etc/postfix/smtpd-key.doc

and configure Postfix to use these:

        smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pdf
        smtpd_tls_key_file = ${config_directory}/smtpd-key.doc

[ You'll probably pick less ridiculous file extensions, but they only
   enlighten or confuse the human user, the computer does not care. ]


Thanks very much Victor...

New certs installed and working well...

You're the man!

Reply via email to