[tpop3d-discuss]tls certificate chains

Erik Grinaker erikg at codepoet.no
Mon, 10 May 2004 16:20:32 +0200


I'm setting up a mail server using tpop3d, and so far I'm extremely
pleased with it. However, I ran into some problems when attempting to
set up TLS.

The problem seems to be that tpop3d does not handle certificate chains.
Here is the situation:

I ordered a certificate from Comodo (InstantSSL) - let's call it
server.crt. This certificate is signed using Comodos certificate,
comodo.crt. However, comodo.crt is what is called an intermediate
certificate, which is signed with a root certificate from GTE
CyberTrust, called gte.crt.

So; server.crt is signed with comodo.crt, and comodo.crt is signed with
gte.crt, which is a root certificate.

The problem is that server.crt can not be verified by clients, because
they need the intermediate certificate (comodo.crt) and preferably also
the root certificate (gte.crt). The server needs to provide these in a
certificate chain.

Other programs (exim, apache, courier-imap etc) handle this in various
ways; some expect all certificates and keys (the entire chain) to be
located in the same file, while others expect the server certificate in
one file and the rest of the chain (comodo.crt and gte.crt) in a
different file.

So, since I couldn't find any tpop3d options for using other files, I
just told it to use the file containing the entire chain as a
certificate. However, it only uses the first it finds (server.crt). The
chain file looks like this:

[server.crt contents]
[server.crt private key]
[comodo.crt contents]
[gte.crt contents]

So, have I misunderstood anything, or isn't this currently possible with

Erik Grinaker <erikg@codepoet.no>

"We act as though comfort and luxury were the chief requirements of
life, when all that we need to make us happy is something to be
enthusiastic about."
                                                      -- Albert Einstein