Install Certificate in CanIt
Here's my recommended "best practices" solution to this:
Part 1: Install the server's certificate using the Setup : HTTPS function
This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.
This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.
On the Setup : HTTPS page it says:
Please paste your SSL certificate into the text box below. If your provider supplies a cerficate chain file, paste the contents of that file immediately below your certificate.
When you get your certificate signed by a Certificate Authority, they often provide a "certificate bundle" or "certificate chain". These are additional certificate bits with intermediate certificate information which connect your certificate all the way up the chain to the root CA.
When you paste in your key at Setup : HTTPS, it should look something like this:
-----BEGIN CERTIFICATE----- ... your cert ... -----END CERTIFICATE-----
To add the certificate bundle / chain bits, just append them so it looks like this:
-----BEGIN CERTIFICATE----- ... your cert ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... certificate bundle ... -----END CERTIFICATE-----
￼ NOTE: If you are simply updating your cert/key (or you needed to update it to add the certificate chain bundle bits) and you have already done the steps below then you don't need to redo them but you do need to restart Sendmail to make the new key take effect for SMTP/TLS.
Part 2: Making Sendmail behave
Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.
We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.
These commands will do the business:
mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key
Then restart Sendmail:
Part 3: Enabling TLS in sendmail.mc
This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:
in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.
NOTE: Look closely at the beginning:
include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.
make -C /etc/mail && /etc/init.d/sendmail restart
You need to do this on all hosts.