[openssl-users] Verifying a certificate chain
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Oct 4 15:22:57 UTC 2015
On Sun, Oct 04, 2015 at 07:58:42AM -0400, Yan Seiner wrote:
> >I have a certificate from PositiveSSL for my email server. I have the
> >root certificate and the intermediate certs installed in /etc/ssl/certs/.
man c_rehash
> >However, I still cannot verify my certificate. I can't figure out what I
> >have done wrong. I've been wrestling with this for a long time, and I am
> >out of ideas.
> >
> >I am not that familiar with ssl certs - they usually "just work". This
> >one, however, is kicking my butt.
> Never mind. I tried one more thing and it worked.
>
> I concatenated my cert onto the bundle and used that.
>
> cat mail_seiner_com.pem PositiveSSL.pem > mail_seiner_com_bundle.pem
>
> I'm not sure why neither exim4 nor dovecot would accept my cert and then a
> ca cert but rather wanted them all in one bundle.
>
> It now validates correctly.
>
> yan at yan-ThinkPad-W530:~$ openssl s_client -connect mail.seiner.com:587
> -starttls smtp -CApath /etc/ssl/certs
It is also possible that your MSA does not load "missing" certificates
from the default store.
--
Viktor.
More information about the openssl-users
mailing list