What is the proper installation and usage of SSL certificates signed by an intermediate CA?
The proper usage of SSL certificates (for SMTP TLS) that are signed by an intermediate CA is a bit tricky. On firmware 2.8 even uploading the certificates at 'SMTP | TLS Certificates | Upload New Certificates' is not possible (see Technote 1578722 'Manually uploading SSL certificates for TLS' --> https://www-304.ibm.com/support/docview.wss?uid=swg21578722). When the certificates are uploaded manually - incoming TLS connections will only work when the validity of the certificate is not validated by the sending MTA. This article describes which manual modifications are necessary for a proper usage of such certificates.
For a proper installation of a certificate that is signed by an intermediate CA it is necessary to add the certificate of the intermediate CA to the certificate file.
1. If you do not already have the certificate of the intermediate CA you need to get it:
openssl x509 -in server.cert -text -noout
This command will give you all the information about your certificate. There will be a paragraph that points to certificate of the intermediate CA that has signed your certificate -> 'Authority Information Access'.
Download the certificate (in our example it is: http://gtssl-aia.geotrust.com/gtssl.crt)
2. Check if the certificate of the intermediate CA is in PEM format.
openssl x509 -in CERTIFICATE_NAME.crt -text -noout
If it is NOT in PEM format but in DER format you will get an error like:
Convert the certificate from DER to PEM
openssl x509 -inform der -in CERTIFICATE_NAME.crt -out CERTIFICATE_NAME.cert
3. Append the certificate of the intermediate CA to your server certificate.
4. Put the private key and the server certificate in place as described in Technote 1578722 (https://www-304.ibm.com/support/docview.wss?uid=swg21578722). You may test the TLS connection with:
openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -CAfile /etc/apache2/ssl.crt/ca-bundle.crt
If the certificate can be successfully verified you should see Verify return code: 0 (ok)
If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.
|Security||Proventia Network Mail Security System||Firmware||2.6, 220.127.116.11, 2.8||All Editions|