After at least the last two certificate renewals the certificate exported (as a task after the renewal process) includes the private key as the first entry in the created PEM file. It’s a concern because clients download the certificate which includes the private key.
I didn’t notice this until today when connections started failing because the DSR root certificate has now expired. It’s also a concern because the certificate is invalid and any legitimate client will reject it. As a result, clients did not update to use the new certificate when the certificate was automatically renewed on Sept 11th. This has has meant that the certificate path has been wrong on clients leading to the error today.
Several CTW tasks are run after the certificate is renewed: to export the certificate (full path not including the private key) to cert.pem, to export the private key to pkey.pem and then to restart the mail server (hMailServer).
After noticing the issue I started CTW which prompted me to update to 5.5 - and I did. After the update I renewed the certificate manually. When I opened the exported certificate file using a text editor the private key was again at the beginning of the file. After removing the private key from the certificate file clients have begun working again. I have checked that the certificates in the exported chain are the correct ones (no DST).
So my question is: why is the private key being included with the certificate export? Again, the export option being used is “PEM - Full certificate chain”. Is the private key supposed to be exported when using this option?