From: Amos Gouaux <[EMAIL PROTECTED]>
Date: Sun, 19 Aug 2001 12:41:38 -0500
# this is from the certs directory of openssl-0.9.6b
tls_ca_path: /usr/local/ssl/certs
tls_ca_file: /usr/local/ssl/certs/vsignss.pem
Though, I *still* have to use "/ssl/novalidate-cert" with PINE. I
think it is because of the following:
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
From what I've gathered so far is that I need some way to specify
the "certificate chain". I believe this is the related info, from
the mod_ssl FAQ:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC39:
That is because Verisign uses an intermediate CA certificate between
the root CA certificate (which is installed in the browsers) and the
server certificate (which you installed in the server). You should
have received this additional CA certificate from Verisign. If not,
complain to them. Then configure this certificate with the
SSLCertificateChainFile directive in the server. This makes sure the
intermediate CA certificate is send to the browser and this way
fills the gap in the certificate chain.
So I wonder if imapd.conf needs to have a setting for this chain file???
Cyrus will correctly send the intermediate cert if it's in the
tls_ca_path. I would remove the definition of tls_ca_file (I've never
needed it).
If /usr/local/ssl/certs doesn't contain the intermediate cert, you'll
have to install it there. It will also need the OpenSSL hash
symbolically linked to it. You can find out what the right filename
is by doing
openssl x509 -in <certfile> -hash
At the top of the output, you'll see something like:
d6e6472d
Link "d6e6472d.0" to the actual cert file.
(Personally, I think that the error Pine is giving you is because it
doesn't view the Verisign root certificate as trusted, but I don't
know for sure.)
Larry
