Secure email fails with private CA
If a private CA such as a self signed enterprise CA is in use, the CA is not recognized when establishing SMTP connections even though the CA certificate has been imported in System / Certificate Manager / CAs.
The reason for this is that the imported CA certificate is not stored in a location/manner available to OpenSSL. One solution (there may be others) to this issue is to append imported CA certificates to /usr/local/share/certs/ca-root-nss.crt.
Updated by Ross Williams almost 5 years ago
I am interested in implementing a related feature that allows a "private CA" to be installed as a trusted root that is validated against when performing package updates. Appending to the ca-root-nss.crt file gets the job done, but is bad(tm) because that file belongs to an installed package. The better solution is to create a directory under /usr/local/etc/ssl called /usr/local/etc/ssl/crt and then configure OpenSSL to look there for additional certs.
I'm imagining that putting the OpenSSL environment variables that cause cURL to use that certs directory at the earliest point possible in the init process would also cause most other OpenSSL-based applications to also look for additional certs. Is this still an issue for you, Denny?