Courier IMAP and POP3D Certificate Chains in PEM files

It wasn’t entirely clear to me how to deal with these low-cost SSL certificates like the Comodo Positive CA SSL certificate. They come to you with several CRT files. These form a chain of trust, starting with the Root Certificate Authority (CA), and extending through intermediate certificate authorities.

It just says that the CA you bought it from is trusted by another CA, and that is trusted by another CA, all the way up to the root CA.

The one I got was from PositiveCA, aka Comodo, and it’s chain was just one CA long.

But, if you install the cert into your servers, Firefox and Thunderbird will throw up a warning dialog box saying these aren’t trusted. How do you get rid of that?

The answer, for Courier IMAP, is to put all the certs into the PEM file where you have your key and cert.

Courier IMAP requires you to put your private key that was used to generate the certificate signing request and cert into a PEM file. Mine starts with the key, then the certificate that was sent back.

To that, append the certificate that certifies your certificate. Mine was PositiveSSLCA2.crt.

The next link up in my chain was the AddTrust cert, and it’s a root cert that’s included with Thunderbird, so I left it out.

If you have a longer chain, you keep adding certificates, so that each certificate verifies the one just preceding it.

And how it works…

When you use it, the certificate chain is sent along with the cert. The client then adds the intermediate CAs in the chain into it’s database of certificate authorities.

Your site is verified, and the client is happy.