Discussion:
TLS cert question
(too old to reply)
Gary Smith
2011-01-13 23:25:18 UTC
Permalink
I have an SSL key in pkcs12 format (pfx exported from Windows) that I need to convert into the proper format for postfix. The pfs includes the entire chain as well.

Anyone know the proper way to convert this file into the corresponding smtpd_tls_key_file/smtpd_tls_cert_file formats? My understanding (which is probably wrong) is that the final cert file can include the chain, so I don't need to use smtpd_tls_CAfile.

Any step by step instructions would be great. I did this like a year ago with another cert but managed to lose the instructions.

Thanks
mouss
2011-01-13 23:30:09 UTC
Permalink
Post by Gary Smith
I have an SSL key in pkcs12 format (pfx exported from Windows) that I need to convert into the proper format for postfix. The pfs includes the entire chain as well.
Anyone know the proper way to convert this file into the corresponding smtpd_tls_key_file/smtpd_tls_cert_file formats? My understanding (which is probably wrong) is that the final cert file can include the chain, so I don't need to use smtpd_tls_CAfile.
Any step by step instructions would be great. I did this like a year ago with another cert but managed to lose the instructions.
openssl can convert between various formats.
http://www.sslshopper.com/article-most-common-openssl-commands.html
http://security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html
http://shib.kuleuven.be/docs/ssl_commands.shtml
...
Gary Smith
2011-01-13 23:36:41 UTC
Permalink
Post by mouss
openssl can convert between various formats.
http://www.sslshopper.com/article-most-common-openssl-commands.html
http://security.ncsa.illinois.edu/research/grid-
howtos/usefulopenssl.html
http://shib.kuleuven.be/docs/ssl_commands.shtml
...
Mouss,

Thanks for the follow up. I know that openssl can convert it. I've read 10's of documents today (literally 20+) and postfix doesn't seem to like to final product. Thus the specifics in the question.

Here is what I tried:


# Export certificate
openssl pkcs12 -in original.pfx -out hsserver01.cer -nodes
# Export public key -- no important here it seems
openssl pkcs12 -in original.pfx -out hsserver01.pub -clcerts -nokeys
# Export private key
openssl pkcs12 -in original.pfx -out hsserver01.pem -clcerts

cp hsserver01.* /etc/postfix/ssl
chmod 600 /etc/postfix/ssl/hsserver01.*

in main.cf:
# Private key in PEM format
smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem
# Private key in crt format
smtpd_tls_cert_file = /etc/postfix/ssl/hsserver01.cer
# Chain, if available -
#smtpd_tls_CAfile = /etc/postfix/ssl/hsserver01.ca-bundle

In maillog:

postfix/smtpd[11907]: warning: cannot get RSA private key from file /etc/postfix/ssl/hsserver01.pem: disabling TLS support
postfix/smtpd[11907]: warning: TLS library problem: 11907:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY:
postfix/smtpd[11907]: warning: TLS library problem: 11907:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
Victor Duchovni
2011-01-14 00:06:48 UTC
Permalink
Post by Gary Smith
# Export certificate
openssl pkcs12 -in original.pfx -out hsserver01.cer -nodes
This takes in PKCS12 and outputs an unencrypted PKCS12. Not a good idea,
your private key is compomised, unless your umask was 077.
Post by Gary Smith
# Export public key -- no important here it seems
openssl pkcs12 -in original.pfx -out hsserver01.pub -clcerts -nokeys
This still the leaf X.509v3 certificate, but not the key.
Post by Gary Smith
# Export private key
openssl pkcs12 -in original.pfx -out hsserver01.pem -clcerts
This outputs a PKCS12 with the private key and no CA certs.

You need a file with the private key in PEM format to use as
smtpd_tls_key_file. For that:

(
umask 077
openssl pkcs12 -nodes -nocerts -out certkey.pem -in certkey.p12
)

Then you can append the certificate chain:

openssl pkcs12 -nokeys -in certkey.p12 >> certkey.pem
--
Viktor.
Victor Duchovni
2011-01-14 00:35:41 UTC
Permalink
Post by Victor Duchovni
Post by Gary Smith
# Export certificate
openssl pkcs12 -in original.pfx -out hsserver01.cer -nodes
This takes in PKCS12 and outputs an unencrypted PKCS12. Not a good idea,
your private key is compomised, unless your umask was 077.
Oops, while the "umask 077" is indeed required, this does produce a PEM
file with a usable key and certificate, provided the OpenSSL library
behind the pkcs12 command is not substantially newer than the one Postfix
is linked with. If the command is from OpenSSL 1.0.0, it will generate
a new-style PKCS#8 "generic" private key, while Postfix linked against
0.9.8 will probably want an RSA key.

You may need to run "openssl rsa" to convert this to an RSA key, which
then needs to replace the

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

with:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
--
Viktor.
Gary Smith
2011-01-14 00:49:43 UTC
Permalink
Post by Victor Duchovni
Oops, while the "umask 077" is indeed required, this does produce a PEM
file with a usable key and certificate, provided the OpenSSL library
behind the pkcs12 command is not substantially newer than the one
Postfix
is linked with. If the command is from OpenSSL 1.0.0, it will generate
a new-style PKCS#8 "generic" private key, while Postfix linked against
0.9.8 will probably want an RSA key.
You may need to run "openssl rsa" to convert this to an RSA key, which
then needs to replace the
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
--
Viktor.
Viktor,

Thanks for the follow up.

Here is a little more information as well as what I have done since your last email. The OS is opensuse 11.3 with openssl 1.0 which I assume they linked postfix against as well. When I made the changes below the log file stopped spewing out the RSA invalid errors that it did before (and was quiet). I'm not sure what the correct way to test is. I'm using openssl s_client to do the test. Am I testing wrong at this point or is there still an error?
Post by Victor Duchovni
(
umask
openssl pkcs12 -nodes -nocerts -out hsserver01.pem -in original.pfx
)
Post by Victor Duchovni
(
umask 077
openssl pkcs12 -nodes -nocerts -out certkey.pem -in original.pfx
)
Post by Victor Duchovni
openssl pkcs12 -nokeys -in original.pfx >> certkey.pem
cp *.pem /etc/postfix/ssl/
edited main.cf:
# Public key in PEM format
# TRIED IS WITH certkey.pem as well...
smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem
# Private key in crt format
smtpd_tls_cert_file = /etc/postfix/ssl/certkey.pem
Post by Victor Duchovni
openssl s_client -showcerts -state -quiet -status -connect localhost:465
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
3075593864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:683:
# no errors at all in the mail log
Post by Victor Duchovni
openssl version
OpenSSL 1.0.0 29 Mar 2010


Postconf -n stuff:
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/certkey.pem
smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
Gary Smith
2011-01-14 01:10:47 UTC
Permalink
Post by Gary Smith
Post by Victor Duchovni
openssl s_client -showcerts -state -quiet -status -connect localhost:465
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
3075593864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
# no errors at all in the mail log
All looks well. Adding -starttls smtp gives me real output. Either way your conversion method worked fine to get rid of the RSA error.

openssl s_client -connect 127.0.0.1:465 -starttls smtp
Victor Duchovni
2011-01-14 01:30:34 UTC
Permalink
Post by Gary Smith
Post by Victor Duchovni
(
umask
openssl pkcs12 -nodes -nocerts -out hsserver01.pem -in original.pfx
)
This contains the key only.
Post by Gary Smith
Post by Victor Duchovni
(
umask 077
openssl pkcs12 -nodes -nocerts -out certkey.pem -in original.pfx
)
THis contains the key only.
Post by Gary Smith
Post by Victor Duchovni
openssl pkcs12 -nokeys -in original.pfx >> certkey.pem
At this point the certkey.pem file contains both the certs and key
Post by Gary Smith
# TRIED IS WITH certkey.pem as well...
smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem
Well, certkey.pem is the right file.
Post by Gary Smith
# Private key in crt format
smtpd_tls_cert_file = /etc/postfix/ssl/certkey.pem
Post by Victor Duchovni
openssl s_client -showcerts -state -quiet -status -connect localhost:465
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
# no errors at all in the mail log
You need "-starttls smtp" to test SMTP servers with s_client.
--
Viktor.
Loading...