Mozilla SSL root certificates

[Ian Zimmerman]

Hi, this is something that has bothered me for a while.  How can the
root CA certificates that come with mozilla PSM be converted/exported
to a format that is usable with openssl?  

Background. I want to use fetchmail-ssl with SSL encrypted IMAP (port
993) and verify the server certificate against man-in-the-middle.  But
the server certificate is chained to the Verisign/RSA root, and
Verisign doesn't seem to provide any way to download the root (at
least I haven't found any during my interminable journey through their
$$$ oriented Web maze).  Mozilla has all the roots built in, but not
in the DER or PEM formats that openssl groks; in fact the mozilla
roots are linked into libnssckbi.so as C structures, it seems.

I downloaded the mozilla source (really!) and determined that the bits
of the roots originate in the file certdata.txt.  But even this file's
format is a far cry from something that can be fed into openssl.  Can
somebody give me a hint how to convert it?  I am not familiar with
DER; I guess a reference to the definition of DER would be enough to
make me grateful (though not yet happy :)

Thanks,

-- 
Ian Zimmerman, Oakland, California, U.S.A.
Hypocrisy, arrogance and manipulation: sure-fire ways to earn hatred.
GPG pub key: 433BA087 9C0F 194F 203A 63F7 B1B8 6E5A 8CA3 27DB 433B A087