Re: Certificates Invalid in Main.cf (Possibly Off Topic'ish)

Tue, 11 Nov 2008 08:56:50 -0800 

On Tue, Nov 11, 2008 at 11:47:34AM -0500, Carlos Williams wrote:

> On Mon, Nov 10, 2008 at 9:20 PM, Victor Duchovni
> <[EMAIL PROTECTED]> wrote:
> >> On Mon, Nov 10, 2008 at 5:26 PM, Noel Jones <[EMAIL PROTECTED]> wrote:
> >> > If your existing verisign certificate is a "server" type certificate with
> >> > the right FQDN, you should be able to use it with postfix.
> 
> I believe it is a server type certificate. Its a basic Verisign SSL CA
> cert. which is visible from my webmail server.
> 
> https://mail.ideorlando.org
> 
> When I look at the cert's on the server, I see the following:
> 
> mail:/etc/apache2/ssl# pwd
> /etc/apache2/ssl
> mail:/etc/apache2/ssl# ls -l
> total 12
> -rw-r--r-- 1 root root 1659 2008-09-11 16:47 intermediate.crt
> -rw-r--r-- 1 root root 1899 2008-09-11 16:47 mail.crt
> -rw-r--r-- 1 root root  963 2008-09-11 16:47 mail.key
> 
> Can those just be placed into the main.cf for Postfix? I see the ones
> already in Postfix have a .pem extension. My Verisign certificates do
> NOT have a .pem extension.

Did you read my previous message? Postfix needs the cert and the entire
trust chain in a *single* PEM file, and the key in a single PEM file,
possibly the same as the cert+chain file. I tried to make that pretty
clear.

You have 3 files, and you have not determined whether they are PEM or
DER encoded. Often ".crt" files are DER encoded, but looking inside
the file is the only way to tell. Exactly one of each pair should
work:

        - openssl rsa -in mail.key -inform DER -modulus -noout
        - openssl rsa -in mail.key -inform PEM -modulus -noout

        - openssl x509 -in mail.crt -inform DER -modulus -noout
        - openssl x509 -in mail.crt -inform PEM -modulus -noout

        - openssl x509 -in intermediate.crt -inform DER -modulus -noout
        - openssl x509 -in intermediate.crt -inform PEM -modulus -noout

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to