sendmail certs -- which letsencrypt cert to use for ca

Olivier Olivier.Nicole at
Thu Apr 5 02:48:47 UTC 2018

Gary Aitken <freebsd at> writes:

> I'm wanting to switch the self-certified certs generated by sendmail
> when it first starts over to ones certified via letsencrypt.
> Letsencrypt generates four files:
>    cert.pem, privkey,pem, chain.pem and fullchain.pem
> As I understand it, chain.pem contains intermediates, and fullchain
> contains the main cert + intermediates.
> Sendmail's generated certs consist of a cert, a privkey, and a CA.
> Which of chain.pem or fullchain.pem should be used for the CA, or
> will either work?

You should use the shortest of the two files. I never tested with
sendmail, but that's what I do with postfix, Courrier Imap, LDAp,
Apache, FreeRadius...

Depending on the tool you use to create your Let's Encrypt certificate,
the name of the files may vary, but the size difference should be

As you have been using self signed certificates in the past, you know
how to create a private key and a certificate request, so I would
suggest that you apply to a certificate by using your own certificate
request, that way, you are sure that let's Encrypt will never see your
private key. At leat (on GitHub) allows you to submit your own

Best regards,


More information about the freebsd-questions mailing list