I have an SSL certificate and key from a trusted CA (not self-signed). This gives me the following files on a Fedora system:
/etc/pki/tls/certs/mydomain.crt
/etc/pki/tls/certs/mydomain.csr
/etc/pki/tls/private/mydomain.key
My sendmail.mc file contains these lines:
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mydomain.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/mydomain.key')dnl
Note that I don't have any .pem files that are commonly shown in examples of how to get TLS working in sendmail.
When I start sendmail, I get this error:
Aug 22 15:10:17 cs sendmail[23424]: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/pki/tls/private/mydomain.key) failed
I assume the reason for the error is it is looking for a .pem file, but I only have a .key file to give. Should I create a .pem file? If so, how do I do it from my existing files? When I try to run make mydomain.pem it wants to create a CSR from scratch.
Solution
As pointed out below, there was a password on the key file. I removed it using the openssl command and sendmail was able to load the file. I also needed to start saslauthd to get it all working.
That looks correct, the .pem file is the certificate or public key and can also be .cer or .crt as far as I'm aware. See this similar post for more information.
Regarding the actual error, does the key have a password associated with it? Do you definitely have the files the right away around? The .key should start with
---BEGIN PRIVATE KEY---and the .crt should start with---BEGIN CERTIFICATE---