Sendmail and intermediate certificates
Vesa-Matti Kari
I am trying to use Comodo's certificates with Sendmail, but
when I use
openssl s_client -starttls smtp -connect host.name.here:25
I always get:
Verify return code: 21 (unable to verify the first certificate)
As far as I understand, the Comodore certificates are not
directly signed by the root CAs, so they are not recognized without
help from some "chaining" intermediate certificates. The chaining
certificates link the server certificate to the well-known root
CAs.
With Apache web server, in ssl.conf I use:
SSLCertificateChainFile /etc/pki/tls/certs/comodo-chain.crt
and the intermediate certificate works fine, i.e. the clients
succeed in verifying.
With Dovecot IMAP/POP server, I have simply concatenated the
server certificate with the intermediate certificates and it
works.
I have tried the concatenation method with Sendmail too, but
as I said earlier, with no success. Is it possible to configure
Sendmail to use the intermediate certificates? Thanks for any
information.
Regards,
vmk
--
************************************************************************
Tietotekniikkaosasto / Helsingin yliopisto
IT department / University of Helsinki
************************************************************************
Vesa-Matti Kari
> I have tried the concatenation method with Sendmail too, but
> as I said earlier, with no success. Is it possible to configure
> Sendmail to use the intermediate certificates?
Okay. We found out how to do it. The verification works via
OpenSSL library without Sendmail's co-operation. The trick is to
insert the Comodo intermediate certificates to the CA-bundle of
the server. It seems a little bit weird, but CA-bundle is used
in many ways.
man s_server
yields:
-CAfile file
A file containing trusted certificates to use during client
authentication and to use when attempting to build the
server certificate chain. The list is also used in
the list of acceptable client CAs passed to the client when a
certificate is requested.