There has been one thing bugging me about Mail.app, the Mailclient I (and many of my clients) use: its broken handling of self-signed certificated for SSL-encrypted transfers. You see, I'm running mail servers of my own. And in order to communicated securely with them, I have installed so-called X509-certificates. And since I cannot and don't want to fork over something like US$ 200 per year (!) to have these certificates signed by an 'official' authority, I simply have signed them myself.

Now, most email clients (and web browsers, for that matter) expect certificates to be 'trustworthy', i.e. signed by an authority whose certificate is in their list of trusted authorities. tomster.org is, of course, not one of them. No problem! Mail clients such as Mozilla give their users the simple option to 'trust this authority permanently'.

Not so in Mail.app: here it would ask again and again upon each program startup - for each mail account (even if they shared the same server and certificate!).

I have had to click 'continue' three times on each Mac that I own for the past months (ever since Panther came out) everytime I started Mail.app... Duh! But using unencrypted sessions simply was not an option...

I had tried following the simple instructions in the official Help section of Mail.app on how to extend trust to self-signed certificates, but the app would either hang, or, if I imported the certificates manually, it simply wouldn't recognize it.

The solution? Thanks to alert co-machacker Tim I simply created two separete files for my certificates: rather than creating one file containing both, the key and the certificate (it seemed so convenient, at the time!) I now created one file for the certificate and one for the key.

openssl req -new -x509 -nodes -out /var/cert/server.pem -keyout /var/cert/server-key.pem -days 3650

Then I simply followed the instructions (i.e. clicking on 'show certificate', alt-drag it to the Desktop, double-click it and then select 'X509 anchor' from the ensuing pop-uplist. voila!)