On Sun, 18 Jan 2026 at 16:48, Uolys <[email protected]> wrote: > > > a properly configured TLS server needs to include > > the intermediate certificates. […] Otherwise only the > > TLS clients that by accident have the intermediate > > certificate already in the cache or implement AIA > > fetching will be able to connect. > > … > > The "ca" directive in opensmtpd has nothing to do with > > any of this. The ca directive refers to the CA opensmtpd > > uses to client certificates, so this is unrelated. > > … > > pki "mx" cert should point to fullchain.cert > > pki "mx" key should point to the key file. > I could not find this explanation anywhere else, thank you very much! > > > I believe you can find the details of this in "man 5 smtpd.conf" > > Yes, smtpd.conf(5) mentions the possibility of combining certificates > into a single file, although this seems not mandatory there:
It isn't mandatory, because there are use cases other WebPKI certificates for this. The man page indicates what configuration directives mean. What you need those configurations directives to look like for your specific setup, you will have to either know or research. For public PKI, intermediate certificates are always necessary. > > pki pkiname cert certfile > > … > > A certificate chain may be created by appending one > > or many certificates, including a Certificate > > Authority certificate, to certfile. > > https://man.openbsd.org/smtpd.conf.5 > For an example, 'lefh' script of the Hiawatha HTTP server automatically > creates vhost.pem file, which includes domain.key on the top of > fullchain.cert — and all WWW browsers accept these certificates, no > complaints nor security issues have been reported so far. I'm not sure I understand your point. man 5 smtpd.conf indicates that the certificate *key* belongs into a separate file, and you point to that with a separate configuration directive. hiawatha man pages clearly indicates that the key belongs into the certificate file, combining everything into one file. Different software use different configuration directives and methods. What is common among every TLS server is that it requires a certificate and the corresponding key and that if we are talking about the Web PKI the full chain (all intermediate certificates, not the root) is always necessary. How you configure this for a specific TLS server will be explained in the man page. Man pages cover the specifics of the software used; they can't possibly cover all the basics. Lukas
