Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-20 Thread Charles Marcus
Thanks for the detailed explanation Victor. I really appreciate both your confirming my submission cert is now correctly configured, and for taking the time to 'teach me to fish' rather than just giving me one... ;) I believe that if I study this reply, and maybe go back and re-read the post

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread Viktor Dukhovni
On Sat, Apr 19, 2014 at 07:06:31AM -0400, Charles Marcus wrote: > I hate to keep imposing on you, but since I don't have the postfinger tool, Your submission service configuration is now correct. In each pair of lines the "issuer" is the name of the certification authority that signed the certif

Re: SOLVED - Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread li...@rhsoft.net
Am 19.04.2014 12:59, schrieb Charles Marcus: > On 4/18/2014 6:52 PM, li...@rhsoft.net wrote: >> cat whatever-filename.crt your-private.key intermediate-a.crt > your.pem >> >> you are done, use that for *whatever* sevrer-software (httpd, postfix, ATS, >> dovecot) >> as key and or certificate

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread Charles Marcus
On 4/19/2014 6:32 AM, Charles Marcus wrote: Would you mind a quick check of both our smtp. and mail. (I'm guessing that I would need to do the same thing for dovecot's cert too)? Hi Victor, I hate to keep imposing on you, but since I don't have the postfinger tool, and have a hard time inter

SOLVED - Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread Charles Marcus
On 4/18/2014 6:52 PM, li...@rhsoft.net wrote: cat whatever-filename.crt your-private.key intermediate-a.crt > your.pem you are done, use that for*whatever* sevrer-software (httpd, postfix, ATS, dovecot) as key and or certificate file Apparently not, if the certs you get are from RapidSS

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread li...@rhsoft.net
Am 19.04.2014 12:46, schrieb Charles Marcus: > On 4/19/2014 6:32 AM, Charles Marcus wrote: >> Thanks again Victor, without the support on this list many of us wanna-be >> admins would be in way over our heads... > > One other question... > > Would I be correct that the following error I'm now

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread Charles Marcus
On 4/19/2014 6:32 AM, Charles Marcus wrote: Thanks again Victor, without the support on this list many of us wanna-be admins would be in way over our heads... One other question... Would I be correct that the following error I'm now seeing since changing the certs could be caused by some peo

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-19 Thread Charles Marcus
On 4/18/2014 5:14 PM, Viktor Dukhovni wrote: Though many/most client implementations may not mind, the certificate chain is not quite in the right order: $ posttls-finger -cC -Lsummary smtp.media-brokers.com:587 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread li...@rhsoft.net
Am 18.04.2014 21:22, schrieb Charles Marcus: > Ok, if you are willing, could you check me? > >> X.509 certificates come in a few data formats: >> >> - Binary ASN.1 DER format containing a single certificate. >>Not directly usable by Postfix. >> >> - ASCII PEM format certificate

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Viktor Dukhovni
On Fri, Apr 18, 2014 at 05:00:22PM -0400, Charles Marcus wrote: > > smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pdf > > smtpd_tls_key_file = ${config_directory}/smtpd-key.doc > > > >[ You'll probably pick less ridiculous file extensions, but they only > > enlighten or confuse t

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Charles Marcus
On 4/18/2014 3:50 PM, Viktor Dukhovni wrote: In the sample command, "server_cert.pem" is a plausible name for a file that holds just the leaf server certificate. While "intermediate_CA.pem" is a plausible name for a file that hold one or more intermediate CA issuer certificates (in the right or

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Viktor Dukhovni
On Fri, Apr 18, 2014 at 03:22:25PM -0400, Charles Marcus wrote: > >>Thanks again, Victor, but again, that is all over my head. I suspect more lack of confidence than lack of ability. Be more daring, take a guess, it'll probably be right. > > - ASCII PEM format certificate which is the base6

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Charles Marcus
On 4/18/2014 3:06 PM, Viktor Dukhovni wrote: On Fri, Apr 18, 2014 at 02:35:45PM -0400, Charles Marcus wrote: No. The correct approach is at: http://www.postfix.org/TLS_README.html#server_cert_key With legacy public CA trust verification, you can omit the root certificate from

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Viktor Dukhovni
On Fri, Apr 18, 2014 at 02:35:45PM -0400, Charles Marcus wrote: > I don't even know the difference between a .pem and .crt, and definitaly > don't have a clue when iti comes to chainming certs or anything. Those are just file names. File extensions having meaning is a CP/M and Windows concept.

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Charles Marcus
Thanks for the response Victor... On 4/18/2014 2:20 PM, Viktor Dukhovni wrote: On Fri, Apr 18, 2014 at 02:06:20PM -0400, Charles Marcus wrote: Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've

Re: Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Viktor Dukhovni
On Fri, Apr 18, 2014 at 02:06:20PM -0400, Charles Marcus wrote: > Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, > the boss finally agreed to let me buy some real certs... > > Until now, we've been using self-signed certs with the following postfix > settings: > > sm

Changing SSL certificates - switching from self-signed to RapidSSL

2014-04-18 Thread Charles Marcus
Hi all, Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs... Until now, we've been using self-signed certs with the following postfix settings: smtpd_tls_cert_file = /etc/ssl/ourCerts/smtp_crt.pem smtpd_tls_key_