How to renew a CAcert certificate in CentOS without annoying users?

Question

My server is running GNU/Linux CentOS 5.5 + Postfix 2.3.3 + Dovecot 1.0.7.

I got a mail from cacert.org saying my certificate is set to expire in 45 days, so I went to the cacert.org account to renew the certificate and got something like this:

-----BEGIN CERTIFICATE-----
MIIEnzCCAoe (...)
-----END CERTIFICATE-----

Neither cacert.org nor any searches I did explain what to do next. I replaced my certificate file contents with this new certificate for testing, but when email clients are starting to send a message, a pop-up says:

You are about to override how Thunderbird identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this. Certificate status: This site attempts to identify itself with invalid information.

Certificate belongs to a different site, which could indicate an identity theft. Unkonwn identity. Certificate is not trusted, because it hasn't been verified by a recognised authority.

How do I update the certificate without this pop-up reaching end users now or after the certificate expires?

Answer 1

First of all you need to find out whether the certificate contains the right "Common Name". You can check this by putting the text you got into a file and then typing:

openssl x509 -noout -text -in /my/file

This will display the information in the certificate in human-readable form.

If the certificate is valid for the hostname that the end users use, the certificate should not cause their clients to issue warnings. If they do, they cannot determine the validity of the CA which signed the certificate. In that case you may need to out the CA certificates in a file and adjust your configuration so that the CA certificates are read as well. This way the software can supply the end users with the certificate AND the CA certificate chain.

Note that end users will ALWAYS get a warning if the hostname they use does not match the Common Name from the certificate.