> if it is unsigned i think so. signed certs i think only have to match > the domain.
but where is the domain listed if not in the the common name of the cert? > instead of "fixing" your ssl cert look into ditching outlook or fixing > outlook. i don't want to do that. i use fetchmail (haven't used windows in years) but i have friends and family that use my server and they need to be able to use whatever tools they prefer to check their mail. > i use sslwrap to provide SSL over IMAP4, with netscape it warns me > that the host is not the same as the cert as well, because i am > connecting to a CNAME rather then the real hostname. i don't think that sslwrap will make a difference unless the certificate is generated differently. i figured out how to generate a certificate the way i needed by running this. # openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem i just put "." as the answer (which leaves it blank) to all the questions except cn (which got the fqdn of my server) and email which i put [EMAIL PROTECTED] in. fetchmail doesn't give me an error anymore (still waiting to hear back if outlook works) and the new cert looks like this: maus(larry)$ sudo openssl x509 -subject -dates -fingerprint -in /etc/ssl/certs/stunnel.pem subject=/CN=maus.spack.org/[EMAIL PROTECTED] notBefore=Nov 30 00:34:15 2000 GMT notAfter=Nov 30 00:34:15 2001 GMT MD5 Fingerprint=34:5C:8F:EA:39:77:86:FB:CB:BC:46:F7:6B:F7:D6:5D > doesn't cause a problem, just have to click the continue button, and i > prefer to see that come up so i know SSL is enabled :) you can do this with a correct cert as well (at least in netscape) just choose to only accept the certificate for that session. adam.