2009/1/24 Dale Gallagher <dale.gallag...@gmail.com>: > 2009/1/23 Ask Bjørn Hansen <a...@develooper.com>: >> >> On Jan 23, 2009, at 4:41, John Peacock wrote: >> >>> From a quick google, I think the solution is that you have to include the >>> certificate chain in the same file as the server cert itself, in reverse >>> order >>> (so the CA is first, followed by any intermediate CA's, and the server >>> cert is >>> last). >> >> >> Yeah - that's how it works in Perlbal (which is using similar-ish code). > > I've tried that and various other combinations, but nothing seems to > work. See below. It's crazy that setting up with chained certs is so > troublesome, as there seems to be a trend towards only using chained > certs. > > Certs I have: > > server.key (server private key) > server.crt (signed server cert) > DigiCertCA.crt (intermediate cert) > TrustedRoot.crt (root cert)
Ok, the truth is somewhere inbetween! I was getting errors while using the Sylpheed mail client, which I'd installed to test. It seems it may not have a built-in list of root certs. The following works with both Thunderbird and Opera mail clients. For the above list of DigiCert certs (SSL WildCard Cert), the solution is: 1. Create cert-bundle.pem This is not in reverse order as per John's post, but server cert first, intermediate cert second and trusted root last. cat /path/to/server.crt /path/to/DigiCertCA.crt /path/to/TrustedRoot.crt > cert-bundle.pem 2. Configure the 'tls' line in ./config/plugins tls /path/to/cert-bundle.pem /path/to/server.key /path/to/DigiCertCA.crt There are so many variations in how different applications/servers read certs that it becomes rather confusing! Thanks for all the responses. Dale
