Geoff Sweet wrote: [Please do not top-post]
> Oh, ok once I added the -CAfile change the cert verifies without issue. That's because you installed the intermediate cert on your client; this should not be required. > openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 > -quiet > depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > verify return:1 > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server > CA > verify return:1 > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa > (c)05/CN=pop.x10.com > verify return:1 > +OK Dovecot ready. > > So does that mean I need to install the intermediate cert on all my > clients that will be accessing this server? That's going to be a bit of > a PITA... No, you need to properly install and configure dovecot to see the intermediate cert on your server. See: http://www.verisign.com/support/advisories/page_040611.html The article is quite dated, but might be helpful to you. -- Sahil Tandon <sa...@tandon.net>
