[imp] What to do about the root of our certificate chain?
Jan Schneider
jan at horde.org
Wed Aug 2 08:20:01 PDT 2006
Zitat von Amith Varghese <amith at xalan.com>:
> Quoting Cliff Green <green at umdnj.edu>:
>
>> On 05/23/2006, Otto Stolz wrote about [imp] What to do about the root
>> of our certificate chain?:
>>
>>> Hello,
>>>
>>> horde/imp/test.php tells me, that the root CA in our certificate chain is
>>> unknown:
>>>> * Trying protocol imap/ssl, Port 993:
>>>> ERROR - The server returned the following error message:
>>>> Certificate failure for popserver.uni-konstanz.de: self signed certificate
>>>> in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
>>>> Classic - G01
>>>
>>> Consequently, it recommends the imap/ssl/novalidate-cert protocol.
>>> I'd rather use the imap/ssl protocoll, so all certificates are checked
>>> against the certificate chain, back to the root CA.
>>
>> This is what we do - in my servers.php, all imap servers (UW-IMAP as
>> well as iPlanet Messaging Server) use 'protocol' => 'imap/ssl'.
>>
>> There should be a certs directory defined for OpenSSL, and that's
>> where you need to put the PEM formatted version of your imap server's
>> cert (or certs, if there's more than one cert or server). On a Red
>> Hat box, that's usually predefined as /usr/share/ssl/certs. If you
>> built OpenSSL yourself, it's probably in someplace like
>> /usr/local/ssl/certs (that's where we put them when we ran Horde on a
>> Solaris box). You need to determine this.
>>
>> For our iPlanet server, I just have the certificate portion (the part
>> between and including the '-----BEGIN CERTIFICATE-----' and '-----END
>> CERTIFICATE-----' lines; this is signed by a well-known, public
>> hierarchy CA. For our UW-IMAP servers, we use our own, self-signed
>> certs, and include both the cert and private key components in the pem
>> file in the certs directory; in other words, we just copied the PEM
>> file from the certs directory on the host the imap daemon is on.
>
> This is an older thread (from May of this year), and I'm only getting
> to this now. What name do you give the PEM files in
> /usr/share/ssl/certs? I've tried imapd.pem but when I run the mailbox
> check in test.php I get the following error:
>
> ERROR - The server returned the following error message:
>
> Certificate failure for mail.xxxxxxxx.com: invalid CA certificate:
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
> CA Root
>
> In imapd.pem I have my private key, my server certificate, and the
> intermediary and root CA certificates. I'm following the advice of
> this thread:
>
> http://blog.gmane.org/gmane.mail.imap.uw.c-client/month=20040701
> (See 3-5 message on this page)
>
> Thanks for any assistance you can give.
You need to create hash symlinks, check the openssl documentation.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the imp
mailing list