[imp] What to do about the root of our certificate chain?
Amith Varghese
amith at xalan.com
Wed Aug 2 06:34:20 PDT 2006
Quoting Cliff Green <green at umdnj.edu>:
> On 05/23/2006, Otto Stolz wrote about [imp] What to do about the root
> of our certificate chain?:
>
>> Hello,
>>
>> horde/imp/test.php tells me, that the root CA in our certificate chain is
>> unknown:
>>> * Trying protocol imap/ssl, Port 993:
>>> ERROR - The server returned the following error message:
>>> Certificate failure for popserver.uni-konstanz.de: self signed certificate
>>> in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
>>> Classic - G01
>>
>> Consequently, it recommends the imap/ssl/novalidate-cert protocol.
>> I'd rather use the imap/ssl protocoll, so all certificates are checked
>> against the certificate chain, back to the root CA.
>
> This is what we do - in my servers.php, all imap servers (UW-IMAP as
> well as iPlanet Messaging Server) use 'protocol' => 'imap/ssl'.
>
> There should be a certs directory defined for OpenSSL, and that's
> where you need to put the PEM formatted version of your imap server's
> cert (or certs, if there's more than one cert or server). On a Red
> Hat box, that's usually predefined as /usr/share/ssl/certs. If you
> built OpenSSL yourself, it's probably in someplace like
> /usr/local/ssl/certs (that's where we put them when we ran Horde on a
> Solaris box). You need to determine this.
>
> For our iPlanet server, I just have the certificate portion (the part
> between and including the '-----BEGIN CERTIFICATE-----' and '-----END
> CERTIFICATE-----' lines; this is signed by a well-known, public
> hierarchy CA. For our UW-IMAP servers, we use our own, self-signed
> certs, and include both the cert and private key components in the pem
> file in the certs directory; in other words, we just copied the PEM
> file from the certs directory on the host the imap daemon is on.
This is an older thread (from May of this year), and I'm only getting
to this now. What name do you give the PEM files in
/usr/share/ssl/certs? I've tried imapd.pem but when I run the mailbox
check in test.php I get the following error:
ERROR - The server returned the following error message:
Certificate failure for mail.xxxxxxxx.com: invalid CA certificate:
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
In imapd.pem I have my private key, my server certificate, and the
intermediary and root CA certificates. I'm following the advice of
this thread:
http://blog.gmane.org/gmane.mail.imap.uw.c-client/month=20040701
(See 3-5 message on this page)
Thanks for any assistance you can give.
Amith
More information about the imp
mailing list