You have a certificate that your SSL clients (mutt, openssl, etc.) cannot verify. It was issued by a Certifying Authority (CA) not included in your installed list of trusted issuers.

Add the CA’s root certificate to the list, together with any other, intermediate certificates you may need. First, ensure the certificates are in PEM format. [Recipe 4.10] A PEM format file looks like this:

-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw
gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh
...
wo3CbezcE9NGxXl8
-----END CERTIFICATE-----

Then for Red Hat, simply add it to the file /usr/share/ssl/cert.pem.

Note that only the base64-encoded data between the BEGIN CERTIFICATE and END CERTIFICATE lines is needed. Everything else is ignored. The existing file includes a textual description of each certificate as well, which you can generate [Recipe 4.5] and include if you like.

For SuSE, supposing your CA certificate is in newca.pem, run:

# cp newca.pem /usr/share/ssl/certs
# /usr/bin/c_rehash

Red Hat keeps certificates in a single file, whereas SuSE keeps them in a directory with a particular structure, a sort of hash table implemented using symbolic links. You can also use the hashed-directory approach with Red Hat if you like, since it includes the c_rehash program.

Many programs have their own certificate storage and do not use this system-wide list. Netscape and Mozilla ...