[imp] What to do about the root of our certificate chain?

Cliff Green green at umdnj.edu
Tue Aug 8 08:24:57 PDT 2006


(sorry for the delay in replying - I've been out of town and just read 
this... )

Amith Varghese wrote:
[snip]
> This is an older thread (from May of this year), and I'm only getting 
> to this now.  What name do you give the PEM files in /usr/share/ssl/certs?
I tend to name them after their server;  something like:
server1_imapd.pem
server2_imapd.pem
etc....

But this is just my own convention, there's nothing sacred about it;  in 
our case, I have five.
> I've tried imapd.pem but when I run the mailbox check in test.php I 
> get the following error:
>
>     ERROR - The server returned the following error message:
>
>     Certificate failure for mail.xxxxxxxx.com: invalid CA certificate
That kind of says it all:  "invalid CA certificate".  Check to see if 
it's properly constructed, not out of date, and not corrupted.
> :
>     /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External
>     CA Root
>
> In imapd.pem I have my private key, my server certificate, and the 
> intermediary and root CA certificates.  I'm following the advice of 
> this thread:
>
> http://blog.gmane.org/gmane.mail.imap.uw.c-client/month=20040701
> (See 3-5 message on this page)
That thread discusses how c-client checks the cert on the imap server.  
That *also* needs to be setup properly, and you can easily check that 
with any other imap client that can handle imaps (e.g., Thunderbird).  
You have to distinguish between imp as a client and the distal imap 
server;  both need to have the imap server's cert, though obviously only 
the imap server will have it's private key (per the UW imapd 
instructions).  That thread discusses what has to go on your imap 
server;  the files on your Horde server will be copies of those files 
(cert and private key concatenated into one PEM file, then symlinked to 
the hash of the cert).

c
-- 
Cliff Green
BS&T/IST
UMDNJ



More information about the imp mailing list