I then configured my courier-imap daemon to use this cert. *BEFORE* I
imported my new CA cert into Thunderbird, I tried to fetch my mail.
T-Bird, of course, complained about a cert that it couldn't verify.
When I click on "Examine Certificate..." the dialog box tells me that
it can't verify it because it doesn't know who issued it.

THEN... I imported the cacert.pem into T-Bird's "Authorities" section
and I click all three boxes "This certificate can identify websites",
"...identify mail users", and "...identify software makers". Then, I
try to fetch my mail again and T-Bird complains that it can't verify
the cert. I click on "Examine Certificate..." and THIS time, it says
""Could not verify this certificate for unknown reasons".
Hmm I would have expected a better error code here. Things that could be wrong when verifying a certificates:

1) The steps you took in thunderbird to trust the certificate, trusts the certificate as a CA (not an SSL 'peer' certificate). That means if you used that certificate itself as the cert for your imap daemon, then Thunderbird wouldn't necessarily trust it as an SSL peer. You need to issue a new certificate subordinate of your CA certificate as your SSL certificate (like you suggested you wanted to do in the first paragraph).

2) Your SSL cert doesn't have a CN or Subject AltName which matches the name of your imap host. In this case I would have expected a name mismatch error.

3) Your SSL or CA cert is not valid at this time (either before the 'before date' or after the 'after data'). This could happen because of clock skew between your server and client. In this case I would and expected an error about the cert 'not being valid yet, or the cert being expired'.

4) Your SSL cert has usage extensions which do not include SSL.

5) Your SSL cert has an invalid serial number (most common case, your serial number in your SSL cert is the same for the serial number in your CA). This is an extremely common error when using the openSSL suite to generate certificates as the suite does not generate random serial number, but default to a serial number of '1'. You should never generate a certificate which has the same issuer and serial number as another existing certificate.


I can only guess that either the CAcert or the cert I signed with it
isn't exactly how its supposed to look... but I'm at a loss as to how
to find out what the problem is.

Any ideas?

mozilla-crypto mailing list

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to