Certificate Update Guide for Postfix and Nginx

Step 1: Generate a Private Key and CSR

Run the following command to generate a private key and CSR:


openssl req -new -newkey rsa:2048 -nodes -keyout xn--ecktg5a_xn--rdkua7d8a_xn--gckr3f0f.pem -out xn--ecktg5a_xn--rdkua7d8a_xn--gckr3f0f.csr -subj /CN=xn--ecktg5a.xn--rdkua7d8a.xn--gckr3f0f; cat xn--ecktg5a_xn--rdkua7d8a_xn--gckr3f0f.csr

Replace the CN with your domain if different.

Step 2: Prepend the Certificate to the Bundle

Create a bundled certificate file by appending the CA bundle to the certificate file:


(echo ""; cat xn--ecktg5a.xn--rdkua7d8a.xn--gckr3f0f.crt; echo ""; cat xn--ecktg5a.xn--rdkua7d8a.xn--gckr3f0f.ca-bundle) > ssl-bundle.crt

Ensure there is no blank line truncating the certificate.

Step 3: Replace the Files in Nginx

Edit your Nginx configuration file to use the new certificate:

vim /etc/nginx/conf.d/0mail.piman.cloud.conf

Locate the SSL certificate and key paths and update them to the new files.

Step 4: Replace the Files in Postfix

Edit your Postfix configuration file to use the new certificate:

vim /etc/postfix/main.cf

Update the paths for smtpd_tls_cert_file and smtpd_tls_key_file to point to the new files.

Step 5: Update DANE (Optional)

To update DANE (DNS-based Authentication of Named Entities), generate a TLSA record:

openssl x509 -in ssl-bundle.crt -outform DER | openssl sha256

Use the output hash to update the TXT DNS records for your domain:

TLSA _25._tcp.domain.com
TLSA _465._tcp.domain.com
TLSA _587._tcp.domain.com

Remember to reload or restart Nginx and Postfix after making these changes to apply the new certificate configurations.