sendmail certs -- which letsencrypt cert to use for ca
Olivier
Olivier.Nicole at cs.ait.ac.th
Thu Apr 5 02:48:47 UTC 2018
Gary Aitken <freebsd at dreamchaser.org> writes:
> I'm wanting to switch the self-certified certs generated by sendmail
> when it first starts over to ones certified via letsencrypt.
> Letsencrypt generates four files:
> cert.pem, privkey,pem, chain.pem and fullchain.pem
> As I understand it, chain.pem contains intermediates, and fullchain
> contains the main cert + intermediates.
> Sendmail's generated certs consist of a cert, a privkey, and a CA.
> Which of chain.pem or fullchain.pem should be used for the CA, or
> will either work?
You should use the shortest of the two files. I never tested with
sendmail, but that's what I do with postfix, Courrier Imap, LDAp,
Apache, FreeRadius...
Depending on the tool you use to create your Let's Encrypt certificate,
the name of the files may vary, but the size difference should be
consistent.
As you have been using self signed certificates in the past, you know
how to create a private key and a certificate request, so I would
suggest that you apply to a certificate by using your own certificate
request, that way, you are sure that let's Encrypt will never see your
private key. At leat acme.sh (on GitHub) allows you to submit your own
CSR.
Best regards,
Olivier
More information about the freebsd-questions
mailing list