Date: Thu, 05 Apr 2018 09:40:42 +0700 From: Olivier <Olivier.Nicole@cs.ait.ac.th> To: freebsd@dreamchaser.org Cc: freebsd-questions@freebsd.org Subject: Re: sendmail certs -- which letsencrypt cert to use for ca Message-ID: <wu78ta2wf2t.fsf@banyan.cs.ait.ac.th> In-Reply-To: <655c9be3-ece7-eeab-300f-56be88c3267f@dreamchaser.org> (message from Gary Aitken on Wed, 4 Apr 2018 20:26:47 -0600)
next in thread | previous in thread | raw e-mail | index | archive | help
Gary Aitken <freebsd@dreamchaser.org> writes: > I'm wanting to switch the self-certified certs generated by sendmail > when it first starts over to ones certified via letsencrypt. > Letsencrypt generates four files: > cert.pem, privkey,pem, chain.pem and fullchain.pem > As I understand it, chain.pem contains intermediates, and fullchain > contains the main cert + intermediates. > Sendmail's generated certs consist of a cert, a privkey, and a CA. > Which of chain.pem or fullchain.pem should be used for the CA, or > will either work? You should use the shortest of the two files. I never tested with sendmail, but that's what I do with postfix, Courrier Imap, LDAp, Apache, FreeRadius... Depending on the tool you use to create your Let's Encrypt certificate, the name of the files may vary, but the size difference should be consistent. As you have been using self signed certificates in the past, you know how to create a private key and a certificate request, so I would suggest that you apply to a certificate by using your own certificate request, that way, you are sure that let's Encrypt will never see your private key. At leat acme.sh (on GitHub) allows you to submit your own CSR. Best regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wu78ta2wf2t.fsf>