Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to import SSL POP3 Certificates Internet
So I just started using a SSL POP3 server but Mail.app doesn't want to trust the root certificate. I've been able to find information about how to trust root certificates but nothing about how to retrieve the root certificate. I found a post that details how to retrieve the root certificate. Open the Terminal and type (all on one line):
openssl s_client -connect mail.dreamhost.com:imaps >
  dreamhost.cer < /dev/null
For some reason openssl didn't like the port, so I had to change it from imaps to 995 (the port for POP3 SSL) as in:
openssl s_client -connect mail.dreamhost.com:995 >
  dreamhost.cer < /dev/null
That gave me a file, dreamhost.cer, that could be imported into the X509Anchors keychain, as detailed in his post and several macosxhints.com entries that I was able to find.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[12,862 views]  

How to import SSL POP3 Certificates | 5 comments | Create New Account
Click here to return to the 'How to import SSL POP3 Certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to import SSL POP3 Certificates
Authored by: nayr on Jun 22, '04 10:43:42AM

Uhhhh, no. That will save the server certificate for the server to the file, NOT the root CA cert. While this will give the appearance of actually working, technically it's incorrect. You shouldn't trust individual server certificates, especially if they are not self-signed.

In order to retrieve the root certificate, you would need to add -showcerts to the openssl command. This will actually put multiple certificates into the output file; you would then have to edit the file to extract the correct (root) cert.



[ Reply to This | # ]
Some catches
Authored by: mr_rangr on Jun 22, '04 10:57:38AM

As the linked post thread says, many settings must match:
You got the key from "mail.dreamhost.com" (using Dreamhost as an example)
Mail.app must be set to use mail.dreamhost.com, *not* mail.yourdomain.com
The Certificate you just grabbed ALSO must claim to be mail.dreamhost.com.

Some self-signers don't bother to put their actual hostname.domain in the certificate, so Mail will still complain because the names don't match.



[ Reply to This | # ]
How to import SSL POP3 Certificates
Authored by: SimonDorfman.com on Jun 22, '04 11:06:14PM
Thank you for this hint. Strangely, the certificate retrieved with this method only works for the POP3 connections. When I try to make a SMTP connection (i.e. send mail), it gives a scary warning about the cert. To fix this, I ran the same command, but replaced the 995 (the port for POP3 SSL) with 465 (the port for SMTP SSL). However, the certificate retreived with this command only works with SMTP! Keychain won't let me install both at the same time because it claims that one is already installed.

Anyone have any idea how I could get one cert that will work with both POP3 and SMTP? Or is there a way to merge the two certs? Thanks.

[ Reply to This | # ]
How to import SSL POP3 Certificates
Authored by: yellow on Jun 23, '04 04:34:33PM

Ummm... for those less technically inclined folks that might read this, here is a GUIfied way to do it.

http://docs.info.apple.com/article.html?artnum=25593

This also works for POP accounts.



[ Reply to This | # ]
How to import SSL POP3 Certificates
Authored by: yellow on Jun 23, '04 04:40:58PM
Sorry, it didn't automagically parse and format that link.

Apple kBase link from above


[ Reply to This | # ]