New mail.messagingengine.com SSL certificate

Sometime in the next 24 hours we’ll be changing over the SSL certificate for mail.messagingengine.com to a new one. In theory, users shouldn’t notice any change at all. However there are two changes in the new certificate that might affect some users.

1. We’re changing our SSL provider from
   Thawte to
   Digicert. Some users using older devices
   may have had to install the Thawte root certificate into their
   device to be recognised properly. Those devices may also be missing
   the Digicert root certificate. A copy of the Digicert root
   certificate can be downloaded from
   http://www.fastmail.fm/DigiCertCA.crt (It’s actually a
   chained certificate, and the correct root to use is
   http://www.fastmail.fm/Entrust.net_Secure_Server_CA.pem). Most
   devices that don’t recognise the Digicert certificate by default
   should allow you to install a root certificate from the above URL.
2. We’re changing from a pure mail.messagingengine.com certificate to a
   wildcard *.messagingengine.com certificate. Some old devices may
   not understand wildcard certificates properly. For those devices,
   we’ve included mail.messagingengine.com as a “server alternate name”
   in the certificate, which should work.

We’ve checked that compatibility with this new certificate should be good, but as always, there are edge cases and some users may have issues. If you do have any problems, please email me directly at robm@fastmail.fm with details of the device you’re using and the error
you’re getting.

The reason we’re changing is that Digicert offer more flexibility with their SSL certificates, such as wildcard certificates with multiple “server alternative name” options.

Update: I rolled out the new certificate, and shortly afterwards had some reports of problems with Eudora/iPhone/Thunderbird/etc. I contacted Digicert support who were very helpful. Turns out I’d forgotten to RTFM fully, and hadn’t included the chained certificate in the PEM file. I’ve now done that, so things should be better for Eudora/iPhone/Thunderbird/etc users that were having problems.

Update: Unfortunately for Eudora users, it seems Eudora does not come with the required root certificate built in. This means Eudora users will still see an error message with the new certificate. Fortunately, it’s easy to fix this, just follow the directions here to add the list of trusted certificates in Eudora.