We obtained commercial certificates from Verisign. These do need an intermediate cert.
We followed the instructions and https is working fine. Firefox and IE properly list the certificate chain correctly - Verisign root, verisign chain, and cert.
However under thunderbird, only the certificate is display, and of course we get the "Could not verify this certificate for unknown reasons".
The java cacerts keystore seems to contain the verisign root. The tomcat keystore contain both the intermediate and the servers cert.
SMTP outbound TLS works fine. It's just imap. I tried both TLS and SSL but both give the same results.
Is IMAP using a different certificate? slapd.crt, smtpd.crt and perdition.crt only include the server cert. Should it include the intermediate?