On Tue, 6 May 2014, Hodge, Robert L wrote: > My vsftpd configuration has the key and cert both in > "rsa_private_key_file" and the cert again in > "rsa_cert_file". That is the only way that I could make it > work.
* nod * and that is the 'right' was as well The process of appending first the key, and then an intermediate certificate chain, is not uncommon when the signing key at a CA is not in the root CA bundle. The approach is to go from most specific, both as to the key, and the pem, to the more general Some programs (apache) have provision for Intermediate certificate chains, but it is more common not to find such. As it turns out really although Intermediate chains simplify communication, it does not matter to the remote ssl using client [see: man s_client for a very handy testing tool -- see bottom of this piece] The 'openssl' toolkit and conventional Unix tools are all that is needed. Specifically for StartSSL [recommended: http://www.startssl.com/ ] endorsed keys, via pem certificates (which we can seek countersigning of the csr with their 'Class 2' certificate), we prepare them thus: I. As to the key in this environment: [root@mail private]# pwd ; ls ; ls ../certs/ /etc/pki/tls/private attic mail.iwaynet.net-2010.csr mail.iwaynet.net-2012.csr union.key DOMAINS mail.iwaynet.net-2010.key union-2010.key acme.pem localhost.crt rollup.pem attic mail.iwaynet.net-2012.pem sub.class2.server.ca.pem ca-bundle.crt make-dummy-cert union-2012.pem dual-rollup.pem Makefile union.pem [root@mail private]# so: 1. build the key chain of trust cat mail.iwaynet.net-2010.key \ ../certs/sub.class2.server.ca.pem \ ../certs/rollup.pem > union-2010.key 2. using 'vi' inspect that all delimiters are abutted to one another with no intervening NewLine indications -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAuD2CRyO0QSsVyVRVCeYoX9H6OLTTr68ZJeK3wkfFgtFTOleZ ... zhMpwT6ziz4Vw6iEKRTzCwFHaolA9H5GfmBpkP+IvLRU5oTP045adg== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW ... 0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v qhykguAzx/Q= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW ... NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIH4jCCBcqgAwIBAgIBDTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW ... continues a long time with several certificates in the 'rollup.pem' bundle F7D6Wyg3d1Uq+fQaTFQBaVmXHuU2oAryGHVttN9v7mEIA5DBmuu6mwAfeQZdxQ== -----END CERTIFICATE----- 3. This 'union' key should 'verify' for all local elements which comprise it [root@mail private]# openssl verify -CAfile union-2010.key \ union-2010.key union-2010.key: OK [root@mail private]# openssl verify -CAfile union-2010.key \ ../certs/sub.class2.server.ca.pem ../certs/sub.class2.server.ca.pem: OK [root@mail private]# openssl verify -CAfile union-2010.key \ ../certs/rollup.pem ../certs/rollup.pem: OK [root@mail private]# II. and the certificate (pem) 4. and likewise for the certificate chain, we simply concatenate from most specific to more general: cd ../certs/ cat mail.iwaynet.net-2012.pem \ sub.class2.server.ca.pem \ rollup.pem > union-2012.pem 5. inspect as before, using vi 6. verify -- the openssl command used does not vary [root@mail certs]# openssl verify -CAfile union-2012.pem \ mail.iwaynet.net-2012.pem mail.iwaynet.net-2012.pem: OK [root@mail certs]# openssl verify -CAfile union-2012.pem \ sub.class2.server.ca.pem sub.class2.server.ca.pem: OK [root@mail certs]# openssl verify -CAfile union-2012.pem \ union-2012.pem union-2012.pem: OK [root@mail certs]# 7. keys (the private part) need permissions of 700; certificates (being the public part) can be 755 III. s_client testing 8. s_client can handle the TLS dialog startup for you, and 'cracks open' the encrypted matter TLS setup negotiation and later content into TLS protected plaintext, into a (somewhat readable) form [root@mail certs]# openssl s_client -starttls smtp -showcerts \ -connect localhost:25 [here smtp, but sftp is similar ... I trim out the 'guts' of the certificate bodies when there is an elipsis] CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA verify return:1 depth=0 /description=6UU5cs40q72hPkRS/C=US/ST=Ohio/L=Columbus/O=781 Resolution, LLC/CN=mail.iwaynet.net/emailAddress=doma...@781resolution.com verify return:1 --- Certificate chain 0 s:/description=6UU5cs40q72hPkRS/C=US/ST=Ohio/L=Columbus/O=781 Resolution, LLC/CN=mail.iwaynet.net/emailAddress=doma...@781resolution.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA -----BEGIN CERTIFICATE----- MIIHuDCCBqCgAwIBAgIDAQe+MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ ... D9f45J03P3Ln0Vura31pJ3KWCLyzNhXwLjbhbXay97gO2xuBKmCI+Kmp3DUIXpSl PZC06GSzYAJnU2nK -----END CERTIFICATE----- 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority -----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW ... 0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v qhykguAzx/Q= -----END CERTIFICATE----- 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority -----BEGIN CERTIFICATE----- MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW ... NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14= -----END CERTIFICATE----- --- Server certificate subject=/description=6UU5cs40q72hPkRS/C=US/ST=Ohio/L=Columbus/O=781 Resolution, LLC/CN=mail.iwaynet.net/emailAddress=doma...@781resolution.com issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA --- Acceptable client certificate CA names /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Client CA /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Client CA /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Server CA /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA --- SSL handshake has read 7667 bytes and written 302 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: BFE825275B1E0C6097C77A63DAAC8E2219D8CE3C394D4F0F7ADEAD36C0EC37F0 Session-ID-ctx: Master-Key: CDCF79BC50295CA239D9B42F0DA6D54F8E4A4990BD5D641BEBA7D2D77099ADE30CE3C2C5C22D4EB35E4E70FB8AAA81B0 Key-Arg : None Krb5 Principal: None Start Time: 1399396761 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 HELP ehlo asdf 250-mail.iwaynet.net Hello localhost.localdomain [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 35882577 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.iwaynet.net closing connection closed [root@mail certs]# 9. Compare, testing with telnet, which will show the STARTTLS availability, but does not dig further down [root@mail certs]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.iwaynet.net ESMTP Sendmail 8.13.8/8.13.8; Tue, 6 May 2014 13:28:53 -0400 ehlo asdf 250-mail.iwaynet.net Hello localhost.localdomain [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 35882577 250-DSN 250-ETRN 250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-STARTTLS ^^^^^^^^^^^^^^^^^^^^^ this line is present with naiive clients 250-DELIVERBY 250 HELP quit 221 2.0.0 mail.iwaynet.net closing connection Connection closed by foreign host. [root@mail certs]# Hope these notes help. They are the product and distillation of much research and testing -- Russ herrold -- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2014 R P Herrold herr...@owlriver.com My words are not deathless prose, but they are mine. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/