In reading through the mailing list, this question seems to have come up before, but never quite answered. I bought a certificate from Digital Signature Trust which is a well known certificate authority. The reason I bought my certificate, was so that email clients connecting to my imaps server wouldn't be bothered with warnings of unrecognized certificate authority as they would see with a self-signed server certificate. However, I haven't been able to configure dovecot with my Digital Signature Trust signed certificate so that the unrecognized certificate authority warning doesn't appear. I have the root certificate for Digital Signature Trust, but I don't know where to put it so that dovecot will use it. I tried appending the CA root certificate onto my server's certificate file with no success. The answer here is not, load my server's certificate into thunderbird or outlook express, because that is exactly what I'm trying to avoid by purchasing my certificate from a recognized authority. Help. Thanks, Derek
On 30.7.2004, at 20:59, Mail Admin wrote:> I > have the root certificate for Digital Signature Trust, but I don't know > where to put it so that dovecot will use it. I tried appending the CA > root certificate onto my server's certificate file with no success.Just guessing, but maybe placing it in ssl_ca_file helps? -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040731/3c8eef87/attachment-0001.bin>
> I bought a certificate from Digital Signature Trust which is a well > known certificate authority. The reason I bought my certificate, was so > that email clients connecting to my imaps server wouldn't be bothered > with warnings of unrecognized certificate authority as they would see > with a self-signed server certificate. However, I haven't been able to > configure dovecot with my Digital Signature Trust signed certificate so > that the unrecognized certificate authority warning doesn't appear. I > have the root certificate for Digital Signature Trust, but I don't know > where to put it so that dovecot will use it. I tried appending the CA > root certificate onto my server's certificate file with no success. The > answer here is not, load my server's certificate into thunderbird or > outlook express, because that is exactly what I'm trying to avoid by > purchasing my certificate from a recognized authority. Help.Before choosing a CA to buy certificate from you should've checked if their CA certificates come with thunderburd/outlook preinstalled. Seems like they are not, in which case you just wasted some money. -- ./lxnt
Problem solved. In my case I was using the 0.99.10.x release of dovecot, which does not recognize the ssl_ca_file directive. Upgrading to 1.0-test32 was step one. The next step was finding the right format for DST's root certificate. I think the format that finally worked was the format DST distributes for Apache Raven. Thanks! On Mon, 2004-08-02 at 19:47, Zach Bagnall wrote:> It's probably not a matter of getting dovecot to recognise the > certificate, it'll be getting the MUA to recognise the signer. > > When you get the warning, can you click through to the certificate > details and see what it says? Is it showing the signer as DST? Get DST > to confirm that their CA is recognised and trusted by Outlook Express, > Thunderbird, etc. > > Zach. > > On Fri, 30 Jul 2004 13:59:40 -0400, Mail Admin > <postmaster at psy.miami.edu> wrote: > > I bought a certificate from Digital Signature Trust which is a well > > known certificate authority. The reason I bought my certificate, was > > so that email clients connecting to my imaps server wouldn't be > > bothered with warnings of unrecognized certificate authority as they > > would see with a self-signed server certificate. However, I haven't > > been able to configure dovecot with my Digital Signature Trust signed > > certificate so that the unrecognized certificate authority warning > > doesn't appear. >