Untrusted SSL certificates on CentOS VPS

Question

I'm currently in the process of becoming PCI compliant and I have 6 warnings remaining. The one I'm particularly struggling with is "SSL Certificate Cannot Be Trusted IMAP (143/TCP)". I'm using Postfix/Courier-Imap on CentOS 6.5 and I have an SSL certificate already installed on port 993 (IMAPS).

My question is, how do I add, edit or remove the SSL on port 143?

I thought that port 993 was IMAP + SSL so I'm not sure why my scanner is complaining about an untrusted SSL on port 143.

Sorry if this isn't very clear.

Update: This issue also occurs on ports 587, 443, 110 and 25 (SSL certificate cannot be trusted) and the description given is "The server's X.509 certificate does not have a signature from a known public certificate authority". Is there a central certificate somewhere that these warnings are referring to?

Answer 1

The warning about IMAP/143 is probably because your imapd supports TLS, so the tool is connecting to plaintext IMAP, asking to escalate to TLS, and complaining about the certificate then presented.

You don't say what your MTA is, and I'm no expert on courier IMAP, but with sendmail and dovecot they most definitely do not, by default, use the same certificate. Even on my main server, where they do all use the same certificate, they don't all get it from the same file as they want it in different formats: one wants public and private key together in a PEM file, another wants separate key and cert files but the chaining certificate is catted in with the main certificate, yet another wants the chaining certificate in a separate file.

It seems likely to me that the same will be true for you. You'll have to look at the configs of courier and your MTA, and see where they are looking for their SSL certificates - only then will you be able to say if they've got a point.