[imp] What to do about the root of our certificate chain?

[Otto Stolz]

Hello,

horde/imp/test.php tells me, that the root CA in our certificate chain is
unknown:
>     * Trying protocol imap/ssl, Port 993:
>           ERROR - The server returned the following error message:
> Certificate failure for popserver.uni-konstanz.de: self signed certificate
> in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
> Classic - G01

Consequently, it recommends the imap/ssl/novalidate-cert protocol.
I'd rather use the imap/ssl protocoll, so all certificates are checked
against the certificate chain, back to the root CA.

I do not really understand the error message quoted above.
- I thought that Imp contacts the IMAP server which presents a certificate
   to Imp so it can check that it is contacting the real server (and no
   fake IMAP server). But then, which server tells Imp that the CA
   chain is broken?
- Or is it so that Imp has to present a certificate to the IMAP server
   so it can be sure that the right client is requesting its services?

In the 1st case, the question does arise: Where is the list of root CAs
Imp is consulting, and how can I add to it the CA in charge of us?

In the 2nd case, the question is: Where do I have to put the certificate
Imp should present to the server? (And I would have to ask the colleague
in charge of the IMAP server to add the root CA to his list.)

My environment:
   IMP: H3 (4.1.1) (installation currently under development)
   Horde: 3.1.1
   Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.2
   SunOS 5.9

Of course, I have tried to find the answers in the horde-3.1.1/docs/INSTALL,
horde-3.1.1/docs/SECURITY, imp-h3-4.1.1/docs/INSTALL sources, in the
Horde Administrator FAQ, in the Horde Wiki, and in the Imp-List archives --
to no avail.

Thank you in advance for any enlightenment.

Best wishes,
   Otto Stolz