Problems installing ssl certificate for cyrus imap

Goetz Babin-Ebell goetz at shomitefo.de
Tue Sep 27 03:02:44 EDT 2005


Nicole Skyrca wrote:

> Right now I'm trying to solve the problem of why I get see the 
> "unable to get local issuer certificate" messages when running the 
> openssl s_client command.  I'm not that familiar with ssl (or imap) and
> I
> don't know if this is normal or not, or if ssl is working properly.
> Comodo sent an intermediate CA certificate
> along with the signed ssl certificate, that I don't know what to do
> with.

In SSL the client verifies (or  should verify) the servers certificate
with a list of local trusted CA certificates.
And only if this verifies correct, the SSL handshake is OK.

To do a correct verify the clients needs to know the root CA cert.

To tell s_client the CA cert, you should store the root cert
(CN=GTE CyberTrust Global Root) in a file (lets call it cybertrust.pem)
and use this file with s_client:

openssl s_client -connect imap:993 -CAfile cybertrust.pem -verify 10

If that verifies OK, the servers SSL setup is correct.

You need the intermediate CA certificate in the server.
It must send it back to the client so the client can build the
certificate chain.

The server doesn't need to send the root CA cert
(and thereby have it configured in it's CA cert list).

> On Mon, 26 Sep 2005, Nicole Skyrca wrote:
>>
>> I am still seeing
>>some errors like "unable to verify first certificate".

That is because the s_client has no data to
verify the certificate chain.

>>The certificate that we purchased has an intermediate certificate.
>>Have you ever dealt with an intermediate certificate before?  I tried
>> to replace the  tls_ca_file value with a file containing that
>> intermediate 
>>certificate that I recived with the signed certificate, and I didn't
>> see
> 
>>the error anymore.  I don't know if that is going to cause any
>> problems though.

That is OK.

>>This is what I get when I replace tls_ca_file with the intermediate
>>certficiate:
>>[root at mailtest certs]# openssl s_client -connect imap:993
>>CONNECTED(00000003)
>>depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
>>Inc./CN=GTE CyberTrust Global Root
>>verify error:num=19:self signed certificate in certificate chain
>>verify return:0

This indicates that the client doesn't know the root cert
the server sent.

You can remove the root cert from the tls_ca_file and the
handshake should work without problems
(if the client has the root configured)

Bye

Goetz

-- 
DMCA: The greed of the few outweighs the freedom of the many
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3185 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20050927/f737e1d0/smime.bin


More information about the Info-cyrus mailing list