After you import your own certificate, Simple Mail Transfer Protocol (SMTP) over Transport Layer Security (TLS) stops working. The tsmtpd.<date>.<count> log shows the following error:
2013/03/19 08:48:35.988[3212:3144]A0EInvalid certificate chain, root CA is not the last certificate in the chain.
2013/03/19 08:48:35.988[3212:3144]A0ELoad my certificate failed: Provided SSL certificate is invalid.. Server side SSL is disabled.
The issue happens because the certificate is imported to IMSS in Server-Root-Intermediate order instead of Server-Intermediate-Root. This violates the Request for Comments (RFC) requirement.
For more information on validating the certificate’s order, refer to this IETF document: RFC 5246 – The Transport Layer Security (TLS) Protocol Version 1.2.
To resolve the issue:
- Using a text editor, create a new text file and name it Server-Intermediate-RootCA.cer.
- Open the Server-Intermediate-RootCA.cer file and paste the three certificates in the following order:
-----BEGIN CERTIFICATE-----
----(Put server certificate here)---
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
----(Put intermediate CA certificate here)---
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
----(Put root CA certificate here)---
-----END CERTIFICATE-----Double-check the file and make sure there are no Carriage Returns (CRLFs) at the top and bottom. - Create another text file and name it private.key.
- Open private.key and paste the private key string.
- Log in to the IMSS console and export the self-signed certificate currently installed.
- Import Server-Intermediate-RootCA.cer and private.key, and then save the changes.
- Restart the Trend Micro IMSS SMTP Service.