I'm trying to be my own, personal CA. The plan is to create my own,
self-signed CA cert, import that cert as a trusted authority on
Thunderbird, Firefox, whatever.... and then create certs (signed by my
new CA cert) for use on the various servers that I and a few other
friends use.

Using the openssl CA.pl script, I did the following:

CA.pl -newca

CA.pl -newreq

CA.pl -sign

At this point, I've got my cacert.pem, newreq.pem, newkey.pem, and
newcert.pem.

newcert.pem includes both a "-----BEGIN CERTIFICATE----- " section as
well as what looks to be the human-readable output you get from
'openssl -text ...". So, I removed the passphrase from the new privkey
and tacked it onto the cert with something pretty much like:

openssl rsa < newkey.pem >> newcert.pem

I then configured my courier-imap daemon to use this cert. *BEFORE* I
imported my new CA cert into Thunderbird, I tried to fetch my mail.
T-Bird, of course, complained about a cert that it couldn't verify.
When I click on "Examine Certificate..." the dialog box tells me that
it can't verify it because it doesn't know who issued it.

THEN... I imported the cacert.pem into T-Bird's "Authorities" section
and I click all three boxes "This certificate can identify websites",
"...identify mail users", and "...identify software makers". Then, I
try to fetch my mail again and T-Bird complains that it can't verify
the cert. I click on "Examine Certificate..." and THIS time, it says
""Could not verify this certificate for unknown reasons".

I can only guess that either the CAcert or the cert I signed with it
isn't exactly how its supposed to look... but I'm at a loss as to how
to find out what the problem is.

Any ideas?

_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozi...
http://mail.mozilla.org/listinfo/mozilla-crypto