Tags: authority, cert, certificate, certs, create, import, mozilla, onthunderbird, own, personal, plan, self-signed, software, thunderbird, trusted, unknown, verify

Thunderbird says: "Could not verify this certificate for unknown reasons" to the certs I m

On Software » Mozilla

5,773 words with 2 Comments; publish: Sun, 04 May 2008 21:11:00 GMT; (40078.13, « »)

I'm trying to be my own, personal CA. The plan is to create my own,

self-signed CA cert, import that cert as a trusted authority on

Thunderbird, Firefox, whatever and then create certs (signed by my

new CA cert) for use on the various servers that I and a few other

friends use.

Using the openssl CA.pl script, I did the following:

CA.pl -newca

CA.pl -newreq

CA.pl -sign

At this point, I've got my cacert.pem, newreq.pem, newkey.pem, and

newcert.pem.

newcert.pem includes both a " CERTIFICATE " section as

well as what looks to be the human-readable output you get from

'openssl -text ". So, I removed the passphrase from the new privkey

and tacked it onto the cert with something pretty much like:

openssl rsa < newkey.pem >newcert.pem

I then configured my courier-imap daemon to use this cert. *BEFRE* I

imported my new CA cert into Thunderbird, I tried to fetch my mail.

T-Bird, of course, complained about a cert that it couldn't verify.

When I click on "Examine Certificate" the dialog box tells me that

it can't verify it because it doesn't know who issued it.

THEN I imported the cacert.pem into T-Bird's "Authorities" section

and I click all three boxes "This certificate can identify websites",

"identify mail users", and "identify software makers". Then, I

try to fetch my mail again and T-Bird complains that it can't verify

the cert. I click on "Examine Certificate" and THIS time, it says

""Could not verify this certificate for unknown reasons".

I can only guess that either the CAcert or the cert I signed with it

isn't exactly how its supposed to look but I'm at a loss as to how

to find out what the problem is.

Any ideas?

mozilla-crypto mailing list

mozilla-crypto (AT) mozilla (DOT) org

All Comments

Leave a comment...

  • 2 Comments
    • joe (AT) emenaker (DOT) com wrote:

      I then configured my courier-imap daemon to use this cert. *BEFRE* I

      imported my new CA cert into Thunderbird, I tried to fetch my mail.

      T-Bird, of course, complained about a cert that it couldn't verify.

      When I click on "Examine Certificate" the dialog box tells me that

      it can't verify it because it doesn't know who issued it.

      THEN I imported the cacert.pem into T-Bird's "Authorities" section

      and I click all three boxes "This certificate can identify websites",

      "identify mail users", and "identify software makers". Then, I

      try to fetch my mail again and T-Bird complains that it can't verify

      the cert. I click on "Examine Certificate" and THIS time, it says

      ""Could not verify this certificate for unknown reasons".

      Hmm I would have expected a better error code here. Things that could be

      wrong when verifying a certificates:

      1) The steps you took in thunderbird to trust the certificate, trusts

      the certificate as a CA (not an SSL 'peer' certificate). That means if

      you used that certificate itself as the cert for your imap daemon, then

      Thunderbird wouldn't necessarily trust it as an SSL peer. You need to

      issue a new certificate subordinate of your CA certificate as your SSL

      certificate (like you suggested you wanted to do in the first paragraph).

      2) Your SSL cert doesn't have a CN or Subject AltName which matches the

      name of your imap host. In this case I would have expected a name

      mismatch error.

      3) Your SSL or CA cert is not valid at this time (either before the

      'before date' or after the 'after data'). This could happen because of

      clock skew between your server and client. In this case I would and

      expected an error about the cert 'not being valid yet, or the cert being

      expired'.

      4) Your SSL cert has usage extensions which do not include SSL.

      5) Your SSL cert has an invalid serial number (most common case, your

      serial number in your SSL cert is the same for the serial number in your

      CA). This is an extremely common error when using the openSSL suite to

      generate certificates as the suite does not generate random serial

      number, but default to a serial number of '1'. You should never generate

      a certificate which has the same issuer and serial number as another

      existing certificate.

      bob

      I can only guess that either the CAcert or the cert I signed with it

      isn't exactly how its supposed to look but I'm at a loss as to how

      to find out what the problem is.

      Any ideas?

      mozilla-crypto mailing list

      mozilla-crypto (AT) mozilla (DOT) org

      #1; Sun, 04 May 2008 21:13:00 GMT
    • joe (AT) emenaker (DOT) com wrote:

      I'm trying to be my own, personal CA. The plan is to create my own,

      self-signed CA cert, import that cert as a trusted authority on

      Thunderbird, Firefox, whatever and then create certs (signed by my

      new CA cert) for use on the various servers that I and a few other

      friends use.

      I can only guess that either the CAcert or the cert I signed with it

      isn't exactly how its supposed to look but I'm at a loss as to how

      to find out what the problem is.

      NSS has a couple of QA test tools, vfychain and vfyserv, that should be

      usable for this purpose. However, I've just noticed that they have no

      way to ask if a CA is a valid Email CA. They do have a way to ask if an

      email signature or recipient cert is valid though. If it's not, they

      will tell you what's wrong with it.

      Akternatively, If you post the hostname/port of the server, we can

      take a look. , you could email (or post) the complete cert chain, from

      CA to server cert, for us to examine.

      #2; Sun, 04 May 2008 21:14:00 GMT