>>>>> On Sat, 11 Aug 2001 10:38:57 -0500,
>>>>> Amos Gouaux <[EMAIL PROTECTED]> (ag) writes:
ag> Has anybody installed a Verisign cert for SSL/TLS? Is this
ag> possible? We're planning on doing this so that there aren't client
ag> headaches with a locally signed cert.
I've gotten a bit further, now that I've had some time to tinker
with it. This is what I've got so far
/etc/imapd.conf:
# pem file of server key
tls_key_file: /usr/local/ssl/certs/server.pem
# cert from verisign
tls_cert_file: /usr/local/ssl/certs/server-cert.cer
# this is from the certs directory of openssl-0.9.6b
tls_ca_path: /usr/local/ssl/certs
tls_ca_file: /usr/local/ssl/certs/vsignss.pem
Though, I *still* have to use "/ssl/novalidate-cert" with PINE. I
think it is because of the following:
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
>From what I've gathered so far is that I need some way to specify
the "certificate chain". I believe this is the related info, from
the mod_ssl FAQ:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC39:
That is because Verisign uses an intermediate CA certificate between
the root CA certificate (which is installed in the browsers) and the
server certificate (which you installed in the server). You should
have received this additional CA certificate from Verisign. If not,
complain to them. Then configure this certificate with the
SSLCertificateChainFile directive in the server. This makes sure the
intermediate CA certificate is send to the browser and this way
fills the gap in the certificate chain.
So I wonder if imapd.conf needs to have a setting for this chain file???
--
Amos
