djs.to

darrin's musings on software, linux, and anything else.

CentOS 7.1: Install StartSSL CA Certificate

A few months ago I configured Postfix on my CentOS 7.0 VPS to accept a TLS client certificate from my laptop, instead of a password. My client certificate was obtained from StartSSL, who have a rather convoluted process but seem to be the best value CA out there.

Last week CentOS 7.1 became available. I did a yum update, and rebooted, it all seemed to go without a hitch. Until I tried to send an email. My server was logging ‘certificate verification failed’.

After a bit of research, I figured that the problem might be with the StartSSL certificate chain. Time to figure out how to add it to the system. Turns out its fairly easy:

Step One: Fetch the startssl bundle and put it in the right directory

cd /etc/pki/ca-trust/source/anchors
curl -o startssl-ca-bundle.pem http://www.startssl.com/certs/ca-bundle.pem

Step Two: Rebuid the trust database

update-ca-trust

Step Three: Restart Postfix

service postfix restart

And that takes care of that. I wish Postfix/OpenSSL had some better diagnostics when things go wrong, it would reduce the amount of guesswork required.