> On Apr 10, 2017, at 6:02 AM, Selcuk Yazar <selcuk.ya...@gmail.com> wrote:
>
> I have a wildcard SSL certificate file in pfx format.
More accurately, you have a PKCS#12 file, which contains a password-
protected copy of the private key and the certificate chain.
> I'm little confuse with smtpd_tls_cert_file ,smtpd_tls_key_file settings.
Postfix reads the certificates and private key in PEM format.
> How can I prepare these cert_file and key_file files with openssl
> command.
To place both the private key and the certificate chain in a single file:
# umask 077
# openssl pkcs12 -nodes -in /some/where/keypair.pfx \
-out /etc/postfix/certkey.pem.tmp
# mv /etc/postfix/certkey.pem.tmp /etc/postfix/certkey.pem
# postconf -e "smtpd_tls_cert_file = /etc/postfix/certkey.pem"
To use separate files:
# date=$(date "%Y-%m-%d-%H")
# umask 077
# key="/etc/postfix/key-${date}.pem"
# openssl pkcs12 -nodes -nocerts -in /some/where/keypair.pfx -out "$key"
# umask 022
# cert="/etc/postfix/cert-${date}.pem"
# openssl pkcs12 -nodes -nokeys -clcerts -in /some/where/keypair.pfx \
-out /dev/stdout > "$cert"
# openssl pkcs12 -nodes -nokeys -cacerts -in /some/where/keypair.pfx \
-out /dev/stdout >> "$cert"
# postconf -e "smtpd_tls_key_file = ${key}" \
"smtpd_tls_cert_file = ${cert}"
In either case you'll be prompted for the PKCS#12 (aka pfx) file decryption
password.
--
Viktor.
