Auteur: John Holman Date: À: exim-users Sujet: [Exim] TLS and certificate chains
I've obtained a server certificate from GlobalSign (under the UKERNA
deal for UK HE institutions, in fact) but am having difficulty
configuring Exim to use it. I think the problem is that the client needs
to receive not only the server certificate itself, but also a couple of
intermediate GlobalSign certificates linking it with the root
certificate known to the client.
Certainly this is necessary when using GlobalSign certificates with a
web browser. In that case, with Apache as the server, defining the
SSLCertificateChainFile directive and placing the intermediate
certificates in the referenced file works. However there does not seem
to be the corresponding directive in Exim.
What sounds like the same issue was raised back in November (see message
below) but I don't know whether there has been any progress since then.
We don't want to tell users to install the intermediate certificates in
the client themselves, since the reason for buying a commercial
certificate in the first place was to avoid any need for users to do
that kind of thing!
Thanks, John.
William Gerken wrote: > I have successfully configured Exim to act as an TLS server for incoming
> connections from Outlook and Netscape clients. This worked very smoothly
> expect for the small detail that the clients are being prompted to
> verify the certificate, with a message along the lines of "A
> certificate chain processed correctly, but terminated in a root
> certificate which is not trusted by the trust provider". Now the
> certificate is a valid cert signed by Equifax and it verifies correctly
> on the server using the openssl utilities.
>
> I believe I have tracked the problem down to a requirement for sending
> the intermediate cert that was supplied by Equifax to the client along
> with the servers cert, however unlike Apache which supplies
> the directives "SSLCACertificateFile" and "SSLCertificateChainFile", I
> can not find this functionality in Exim. The documentation points to the
> modssl website and it doesn't seem to have been touched on in the
> mailing list. Can anyone give me a suggestion which does not require
> configuration client side?
>
> William Gerken
> WAN Engineer
> Serco Information Systems
>
>
>