Postfix TLS/SSL with wildcard SSL certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix TLS/SSL with wildcard SSL certificate

Selcuk Yazar
Hi,

I have a wildcard SSL certificate file in pfx format (Include private key export from Windows Server). I'm little confuse with smtpd_tls_cert_file ,smtpd_tls_key_file settings. How can i prepare these cert_file and key_file files with openssl command.  Actually  i know how i create private key file but, i don't understand clearly tls_cert_file format 

thanks in advance.

--
Selçuk YAZAR

Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS/SSL with wildcard SSL certificate

Viktor Dukhovni

> On Apr 10, 2017, at 6:02 AM, Selcuk Yazar <[hidden email]> wrote:
>
> I have a wildcard SSL certificate file in pfx format.

More accurately, you have a PKCS#12 file, which contains a password-
protected copy of the private key and the certificate chain.

> I'm little confuse with smtpd_tls_cert_file ,smtpd_tls_key_file settings.

Postfix reads the certificates and private key in PEM format.

> How can I prepare these cert_file and key_file files with openssl
> command.

To place both the private key and the certificate chain in a single file:

   # umask 077
   # openssl pkcs12 -nodes -in /some/where/keypair.pfx \
        -out /etc/postfix/certkey.pem.tmp
   # mv /etc/postfix/certkey.pem.tmp /etc/postfix/certkey.pem
   # postconf -e "smtpd_tls_cert_file = /etc/postfix/certkey.pem"

To use separate files:

   # date=$(date "%Y-%m-%d-%H")

   # umask 077
   # key="/etc/postfix/key-${date}.pem"
   # openssl pkcs12 -nodes -nocerts -in /some/where/keypair.pfx -out "$key"

   # umask 022
   # cert="/etc/postfix/cert-${date}.pem"
   # openssl pkcs12 -nodes -nokeys -clcerts -in /some/where/keypair.pfx \
        -out /dev/stdout > "$cert"
   # openssl pkcs12 -nodes -nokeys -cacerts -in /some/where/keypair.pfx \
        -out /dev/stdout >> "$cert"
   # postconf -e "smtpd_tls_key_file = ${key}" \
                 "smtpd_tls_cert_file = ${cert}"

In either case you'll be prompted for the PKCS#12 (aka pfx) file decryption password.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS/SSL with wildcard SSL certificate

chaouche yacine
Viktor,


In this piece of code, why write to a .tmp file then immediately rename it without any prior processing ?


> # umask 077
> # openssl pkcs12 -nodes -in /some/where/keypair.pfx \
> -out /etc/postfix/certkey.pem.tmp
> # mv /etc/postfix/certkey.pem.tmp /etc/postfix/certkey.pem
> # postconf -e "smtpd_tls_cert_file = /etc/postfix/certkey.pem"

  -- Yassine
Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS/SSL with wildcard SSL certificate

Skip Montanaro
In this piece of code, why write to a .tmp file then immediately rename it without any prior processing ?

The mv command will be an atomic operation, whereas the command preceding it probably won't be. You wouldn't want that pem file to be in an invalid state if some other command comes along and tries to use it.

Skip Montanaro

Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS/SSL with wildcard SSL certificate

chaouche yacine
Nice ! thanks Skip.