ClientKeyFile

File with the client certificate's private key

V8.11 and later

STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you might need to set up is a key file that corresponds to a certificate file. The client key is used by sendmail when it acts in the roll of a sender (dispatching outbound email). The key file is contained in a file whose location is set with this ClientKeyFile option, using declarations that look like this:

O ClientKeyFile=path             configuration file (V8.11 and later) 
-OClientKeyFile=path             command line (V8.11 and later) 
define(`confCLIENT_KEY',`path')  mc configuration (V8.11 and later)

Here, path is a full path specification of the file containing the key. The path can contain sendmail macros, and if so, those macros will be expanded (their values used) when the configuration file, or command line, is read:

define(`confCLIENT_KEY', `${MyCERTPath}/ClntKey.pem')

The path must be a full pathname (must begin with a slash) and must also live in a directory that is safe (every component of which is writable only by root or the trusted user specified in the TrustedUser option) and must itself be safe (owned by and writable only by root or the trusted user specified in the TrustedUser option, TrustedUser). If it is not, it will be rejected and the following error logged:

STARTTLS=client: file path unsafe: reason

Note that the file must not be group- or world-readable.

But, even if all goes well this far, there is still a chance that the SSL software will reject the certificate, and sendmail will log the following:

STARTTLS=client, error: SSL_CTX_use_PrivateKey_file(path=) failed

This error means the key doesn't belong to the certificate, or that the key was encrypted.

The ClientKeyFile option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.