tls engine certs signed by Chained Certificate of Authority

Paul Pruett ppruett at webengr.com
Sat Nov 11 17:15:50 EST 2006 

I was able to get tls to work with a self signed certificate,
so I can get tls to work with IMAP if the cert file matches
the key file.  But it is not signe by a trusted CA.

Next step to find a cheap Certificate of Authority.
Registerfly will sign certificates for under $9.99 a year retail,
less if you setup an agreement... but there is a catch.
they use a Chained Certificate of Authority.
These cheap ssl certificates are "chained" as I understand it.
The "registerfly" certificate was signed by
another Certificate of Authority that is mostly already known
to applications, in the ca-bundle.crt. Then they use their key
that matched that cert to sign ours for $9.99

The registerfly certificate worked with apache https, so long
as the two ca-certs included in the purchase are added to either
the directory for CA or a ca file.  Unlike a non chained, you
do need to put the information in a ca file or it won't work,
because the registerfly ca is not in the default ca bundle.

Okay so far so good.....

I had to buy a SSL cert for the web mail interface already so
might as well use it for the mail.


If I set
tls_ca_file: ca.pem
    (has at least two certs for ca provided)
tls_cert_file:  paidcert.pem
    (the file with the signed cert received from registerfly)
tls_key_file:  mykey.pem
    (the file key I first made and used with csr request)

BUT the TLS engine cannot load the cert/key because it can't get the 
private key to match the certificate for registerfly as I understand it.

example from log

unable to get private key from '-path-/mykey.pem'
Nov 11 18:07:10 mail imap[30456]: TLS server engine: cannot load cert/key 
data

I hacked some variations on the files trying to get imap applications to
realize the root was not the cert for registerfly, but the cert that
registerfly gave me, and then use server key for that cert...
but it seems that from the log I cannot get the TLS engine to pick
the right cert to find key for.

OR I just do not know how to configure for a Chained Certificate of 
Authority.

to repeat...  the $9.99 CERT and CA's provided did work with apache 
mod-ssl, and a selfsigned worked.  ANd on another server I have a GEOtrust 
signed cert and it works with IMAP-UW and apache,mod-ssl but that was not 
chained.

So any ideas, is this a bug/feature of IMAP and the TLS engine will not
work with chained certificate of authorities?  or is it just more likely
I made configuration errors?


tia.

More information about the Info-cyrus mailing list