ot: self certified enduser browser/mail client install?

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 21 Aug 2017, voytek at sbt.net.au wrote:

> in order for end user to avoid webmail warnings or email client warnings,
> do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users
> say under httpd://webhost/tld/certificate/dovecot.pem

Most likely yes. It should work regardless if the cert is self-signed or 
not.

However, you could try to find the upper-most cert by running

openssl x509 -in /etc/pki/dovecot/certs/dovecot.pem -noout -text|less

Check out the Issuer and Subject near the top of the outout:

     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me at example.com
         Validity
             Not Before: Aug 21 05:36:49 2017 GMT
             Not After : Aug 21 05:36:49 2018 GMT
         Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me at example.com

If both are the same, it's the correct one. Then you really have a 
self-signed certificate. Otherwise hunt for the "issuer" cert and hand 
that your users. That would be your CA cert.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBWZp0Tnz1H7kL/d9rAQJcIQf/ZwxUQPbiTEyQyPfyE+Xk/4AVrvgV7C3s
lBqeIfNT54UDlu8p7kzNRau1Kmt+nTwQWsLYBY5hlZmZ51RI0p1UbnKufNT3MBAZ
hOS0QdSvC6ZU2MzQb0tXRAIEP/dCWu1HlQSi/ov9Fp4UlYg5DsnQee9xwWucyIZb
a5nBKonHvaTJpj3YHYKVZojx215uFOFzOJ928khof7KwEqXmTEmTQ+bdLtTHVFWr
JSIdez3j1lUOpAmAgG05tAgGfwdArfx3DpVY8tIAEj5rRpZ4nfEM/lvPDndrzP0I
ovWb7FQDJrnv7t8YO8u3AxUQYUC/lHYtMzq4s9Dgm2LFEC3z9rbOoA==
=6qb8
-----END PGP SIGNATURE-----