Am 19.04.2014 12:59, schrieb Charles Marcus: > On 4/18/2014 6:52 PM, li...@rhsoft.net <li...@rhsoft.net> wrote: >> cat whatever-filename.crt your-private.key intermediate-a.crt > your.pem >> >> you are done, use that for *whatever* sevrer-software (httpd, postfix, ATS, >> dovecot....) >> as key and or certificate file > > Apparently not, if the certs you get are from RapidSSL... > > I cat'd the two files together exactly as Victor described and for some > reason (as Victor pointed out), the > intermediate cert I got from rapidssl had the contents in the wrong order.
than they have a bug, not uncommon the GoDaddy bundle contains the root-CA-cert which is wrong and should be removed because otherwise it results in "chain issues" independent of what software you configure with SSL certs it's a good idea to test the PEM-files with a webserver and use https://www.ssllabs.com/ssltest/ to verify > I had to manually swap the two keys in the intermediate cert before the cat > command resulted in a correct chained cert. > > Apparently their certs are generated specially for web servers? All I know > is, in their order form, they > specifically ask exactly what web server you are running, and what version of > SSL, prior to generating the certs. > There is no choice for smtp server, and they have no docs for installing > their certs with postfix (and their docs > for dovecot are wrong). ssl certs are not different for different server types simply because TLS is a layer on top of the specific protocol the good: all servers and clients need only to care about two implementations * STARTTLS (in case of non-webservers) * SSL/TLS on dedicated port the bad: in case of bugs like Heartbleed they are all affected while the whole Heartbeat thing should never have been enabled for by definition short-lived connections like POP3, SMTP, HTTP and since TCP-Keep-Alive exists completly disabled for non UDP transports
