How to manually verify the certificates used by: pop.gmail.com imap.gmail.com smtp.gmail.com If your e-mail program complains. First of all, here are some fingerprints I've seen recently (mostly here to make this page findable; you can't trust use them for verification because my server isn't using HTTPS and you don't trust me :P): for imap.gmail.com: MD5: 41:BE:CF:CE:07:70:F0:FA:EA:53:C8:FC:CB:92:5C:38 SHA1: DB:7F:2D:F4:8F:9E:94:50:3A:84:97:AE:41:73:12:A3:A5:87:5F:96 Now, how to check that: openssl s_client -connect imap.gmail.com:993 this will spew out a bunch of text, including the certificate. Put the block from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including those lines) in cert.pem. (You'll also note that openssl says "verify error:num=20:unable to get local issuer certificate" at the top. This is the failure to verify the cert.) Now do this: openssl x509 -in cert.pem -text Now under "Authority Information Access:", you'll have something like: Authority Information Access: CA Issuers - URI:http://pki.google.com/GIAG2.crt That's the URL of the certificate that signed this one. Download it over HTTPS. This should work, i.e. the certificate of the https server on pki.google.com should validate, which means you've now got a trusted copy of GIAG2.crt. So, now you have GIAG2.crt, which you trust, and cert.pem, which you're not sure about. One more intermediate step: GIAG2.crt is in a binary format, apparently called DER. openssl can convert it to PEM: openssl x509 -inform DER -outform PEM -in GIAG2.crt -out GIAG2.pem Now you can verify it: openssl verify -CAfile GIAG2.pem cert.pem ...which hopefully comes back with: cert.pem: OK But... is this the same certificate that your mail program presented you with? openssl x509 -in cert.pem -fingerprint (or, if you need to check the MD5 fingerprint: openssl x509 -in cert.pem -fingerprint -md5 )