NDN Certificate

From DreamHost
Jump to: navigation, search

As of May 2013 the NDN Certificate is no longer used for secure IMAP or POP email ([1], [2]). As of June 2013 the NDN Certificate is no longer used for secure SMTP ([3]).

We have created a Secure SSL certificate for you to install into your system and programs that will allow your system to trust the certificates that we create. It is issued by DreamHost’s very own “New Dream Network Certificate Authority”, hereafter the NDN CA, because we love acronyms!


Download the certificate here (Make sure to right click and select "save link as"). You will now have a .crt file.



Ndncert 02.png

Firefox and Thunderbird share the same certificate store. Changes in one will affect the other.

  1. Open Firefox or Thunderbird, then click on Firefox > Options (Firefox) or Tools > Options (Thunderbird)
  2. Then Select the Advanced Tab, select the Encryption (Firefox) or the Certificates (Thunderbird) tab and then click on View Certificates
    Ndncert 07.png
  3. You will then need to click on the Authorities tab and click Import. Find that cert you saved, and hit OK! When it will ask you what you want to trust the cert for, check everything except code signing one.
    Ndncert 08.png
  4. ALL-IMPORTANT: In about:config (Firefox) or Tools > Advanced > General > Config Editor (Thunderbird), enable security.enable_md5_signatures.

Internet Explorer/Windows

Ndncert 03.png

When you import the certificate into Internet Explorer it does it for Windows as a whole, and thus anything which hooks in to that uses it. (The entire office suite, for example.)

  1. Open up Internet Explorer and click on Tools > Internet Options
    Ndncert 09.png
  2. Click on the Content tab and select Certificates...
    Ndncert 10.png
  3. You must pick Trusted Root Authorities then on Import and go through the prompt and choose the NDN Cert you downloaded earlier.
    Ndncert 11.png


Ndncert 12.png

  1. The certificate will download as a text (.txt) file. Find it and change the file extension to .crt
  2. Open Keychain Access, this is in your Appplications -> Utilities folder.
    Ndncert 13.png
  3. Select File->Import, Select the cert and X509Anchors, click OK. When prompted, enter your password.
    Ndncert 14.png


  1. Click Tools > Options
    Opera cert 1.png
  2. Click the Advanced tab.
    Opera cert 2.png
  3. Click Security from the left-hand menu and then hit the Manage certificates button.
    Opera cert 3.png
  4. Click the Authorities tab and then the Import button. Follow the instructions to import the certificate.
    Opera cert 4.png
  5. When prompted with the Install authority certificate dialog, click the View button.
    Opera cert 5.png
  6. Uncheck the Warn me before using this certificate checkbox and press OK to close all dialogs and save the settings.
    Opera cert 6.png

Email Domain Mismatch

See Certificate Domain Mismatch Error.


This is taken from This DreamHost Status Post, but to get it all in one place, here it is.

Why don’t these instructions work for Apple Mail?

For Apple Mail follow these instructions: http://wiki.dreamhost.com/Mac_OS_X_Mail_10.4#Instructions

Why not get a REAL certificate signed by someone widely trusted?

As of May 2013 Dreamhost has a certificate signed by USERTRUST (Comodo) which is used for POP and IMAP email connections.

Do I have to install the NDN CA certificate?

No! Just click to accept the *.mail.dreamhost.com certificate permanently and it shouldn’t bother you until we renew or change the certificate. Installing the CA certificate would allow us to renew the certificate transparently.

Technical notes

To get all geeky on you, the certificate is an X.509 certificate, in the Privacy Enhanced Mail (that’s PEM) format. Well, it’s not quite an X.509 certificate, but it’s an acceptable imitation!

Not quite standards compliant

The certificate is installed, now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!

See also