# Postfix certificate chain



## xy16644 (May 12, 2014)

Yesterday I had my SSL certificate re-issued. I now have two certificates for the same domain. One has an RSA signature and the new one I received yesterday uses ECDSA. I enabled the ECDSA certificate in Dovecot and Apache and those services are working great.

In Postfix I have enabled two certificates (RSA and ECDSA). To enable the ECDSA cert I added the following to my main.cf:

```
smtpd_tls_eccert_file = /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
smtpd_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.key
```

When I received the ECDSA cert from Comodo I had the following files:

AddTrustExternalCARoot.crt
COMODOECCAddTrustCA.crt
COMODOECCDomainValidationSecureServerCA.crt
mail.domain.com.crt

To create the chained file for use in Postfix I ran:
`cat mail.domain.com.crt COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt > mail.domain.com.chained.postfix.ecdsa.crt`
The problem is, when I restart postfix and test with:
`openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp -CAfile /usr/local/openssl/certs/AddTrustExternalCARoot.crt`
it says:

```
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

....

   Verify return code: 21 (unable to verify the first certificate)
```

If I comment out:

```
#smtpd_tls_eccert_file = /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
#smtpd_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.key
```
and restart Postfix agan and run another OpenSSL test it is all fine:

```
Verify return code: 0 (ok)
```

So the question is, how do I get this new ECDSA certificate to work in Postfix and why doesn't it like the chain file I have created? It looks like its using the RSA certificate in the chain for the ECDSA certificate which is confusing! In case anyone's wondering, Postfix does support running more than one certificate at once. See here: http://postfix.cs.utah.edu/TLS_README.html.


> RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported. You can configure all three at the same time, in which case the cipher used determines which certificate is presented.



I am running the latest version of Postfix and OpenSSL (from ports).

Any ideas? My Dovecot and Apache ECDSA certify and chain verify just fine as does my chain file used in Postfix with my RSA certificate. Its just the ECDSA one in Postfix I am battling with.

I would appreciate any help!


----------

