[openssl-users] Verifying a certificate chain

Viktor Dukhovni openssl-users at dukhovni.org
Sun Oct 4 15:22:57 UTC 2015

On Sun, Oct 04, 2015 at 07:58:42AM -0400, Yan Seiner wrote:

> >I have a certificate from PositiveSSL for my email server.  I have the
> >root certificate and the intermediate certs installed in /etc/ssl/certs/.

	man c_rehash

> >However, I still cannot verify my certificate.  I can't figure out what I
> >have done wrong.  I've been wrestling with this for a long time, and I am
> >out of ideas.
> >
> >I am not that familiar with ssl certs - they usually "just work". This
> >one, however, is kicking my butt.
> Never mind.  I tried one more thing and it worked.
> I concatenated my cert onto the bundle and used that.
> cat mail_seiner_com.pem PositiveSSL.pem > mail_seiner_com_bundle.pem
> I'm not sure why neither exim4 nor dovecot would accept my cert and then a
> ca cert but rather wanted them all in one bundle.
> It now validates correctly.
> yan at yan-ThinkPad-W530:~$ openssl s_client -connect mail.seiner.com:587
> -starttls smtp -CApath /etc/ssl/certs

It is also possible that your MSA does not load "missing" certificates
from the default store.


More information about the openssl-users mailing list