Wildcard certificate and DANE/TLSA records

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 2 10:10:11 CET 2019

On Tue, Jan 01, 2019 at 12:08:35PM -0500, zorion wrote:

> > No, you just put all the requisite certificates along with the
> > private key in a mode 0600, root-owned smtpd_tls_cert_file.  The
> > server certificate first, then its issuer CA, then any parent issuer
> > CA, ... up to possibly the root CA, if that's the DANE trust-anchor
> > matching the TLSA record.  If the "2 1 1" TLSA record is for an
> > intermediate CA, then the root CA can be left out, but still list
> > any intermediates above that, for non-DANE clients.
> When I put the private key in that file, how is the file structured?

The order of the certificates is subject first then issuer.
The key can appear anywhere, but for compatibility with
upcoming features in Postfix 3.4, put it first.

    1. private key
    2. corresponding end-entity certificate
    3. issuer of 2 if any
    4. issuer of 3 if any
    N. root-CA issued certificate (required for regular PKI)
    N+1. optional root-CA if published as DANE trust-anchor


More information about the dane-users mailing list