On Tue, Apr 22, 2014 at 09:53:12AM -0500, John Griessen wrote:
> On 04/22/2014 09:20 AM, Viktor Dukhovni wrote:
> >The Postfix SMTP server needs a matching private key and public-key
> >certificate. Anything appended to the certificate file is for the
> >benefit of remote SMTP clients that care to perform certificate
> >chain validation. Such clients need a "chain" of certificates
> >issued by a root CA they trust. The trusted root need not be
> >included in the chain, unless they're using the DANE DNSSEC PKI,
> >instead of public CAs.
>
>
> So there is nothing wrong with a "chain" of certificates -- I will
> put it back and retest.
The leaf certificate (first one in the chain file) MUST match the
private key. The rest of the chain file SHOULD fill-in the trust-path
from the leaf to the root (issuer of leaf, issuer of issuer of
leaf, ...) optionally excluding the root unless the root is a DANE
usage DANE-TA(2) trust-anchor.
--
Viktor.
