From owner-freebsd-questions@freebsd.org Thu Apr 5 02:48:47 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1BAC3F80290 for ; Thu, 5 Apr 2018 02:48:47 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D636822A1 for ; Thu, 5 Apr 2018 02:48:44 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id 94F2161F84; Thu, 5 Apr 2018 09:40:44 +0700 (+07) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-type:content-type:mime-version:message-id:date:date :in-reply-to:subject:subject:from:from:received:received :received; s=selector1; t=1522896044; x=1524710445; bh=4IKkBAjSH c2txhf0KI33Fbqx+Qj0MZpp8huykrf//lk=; b=Sf+DhAxevqoyutOLBCAPugLZw FdJxLCWCT4YaQZFWMWSp5XPg+TnK1SBCw4biYgBZEFLOO9ZS1kDx/5f2EFlQ7/LH oNihwk0sXO/wkZ6QUzTEAd3yqnY7WP9bxZcmHIdx1iava+iCJ+ayV2D8ZsE3jBF5 gxVej/G5NB3mM0cLL8= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id L2X7fCx3iZM3; Thu, 5 Apr 2018 09:40:44 +0700 (+07) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id EBC2A61F83; Thu, 5 Apr 2018 09:40:43 +0700 (+07) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id w352eh9L089335; Thu, 5 Apr 2018 09:40:43 +0700 (ICT) (envelope-from on@banyan.cs.ait.ac.th) From: Olivier To: freebsd@dreamchaser.org Cc: freebsd-questions@freebsd.org Subject: Re: sendmail certs -- which letsencrypt cert to use for ca In-Reply-To: <655c9be3-ece7-eeab-300f-56be88c3267f@dreamchaser.org> (message from Gary Aitken on Wed, 4 Apr 2018 20:26:47 -0600) Date: Thu, 05 Apr 2018 09:40:42 +0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2018 02:48:47 -0000 Gary Aitken writes: > I'm wanting to switch the self-certified certs generated by sendmail > when it first starts over to ones certified via letsencrypt. > Letsencrypt generates four files: > cert.pem, privkey,pem, chain.pem and fullchain.pem > As I understand it, chain.pem contains intermediates, and fullchain > contains the main cert + intermediates. > Sendmail's generated certs consist of a cert, a privkey, and a CA. > Which of chain.pem or fullchain.pem should be used for the CA, or > will either work? You should use the shortest of the two files. I never tested with sendmail, but that's what I do with postfix, Courrier Imap, LDAp, Apache, FreeRadius... Depending on the tool you use to create your Let's Encrypt certificate, the name of the files may vary, but the size difference should be consistent. As you have been using self signed certificates in the past, you know how to create a private key and a certificate request, so I would suggest that you apply to a certificate by using your own certificate request, that way, you are sure that let's Encrypt will never see your private key. At leat acme.sh (on GitHub) allows you to submit your own CSR. Best regards, Olivier