This lead me to a working solution , however several things were different
1: my googlemail account is googlemail.com not gmail.com ... despite all the google entries saying I still connect to gmail.com , in fact I had to use googlemail.com as the server. Specifically:
openssl s_client -connect imap.googlemail.com:993 -showcerts > from-imap.googlemail.com
(note port no differs for imap)
NB you user id is full so "graeme.foobar@googlemail.com" (not graeme.foobar)
I had to download a whole series of certificates:
That line above gives me TWO certificates (both google, they have there own CA ... save cash :-) ) so I stored these in:
imap.googlemail.com.pem
and
Google-Internet-Authority.pem
The latter is signed by equifax, which you can see by doing:
openssl x509 -in Google-Internet-Authority.pem -text
Which says:
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
So I go to:
http://www.geotrust.com/resources/ro...tes/index.html
An dthe description there which matched in my case was:
http://www.geotrust.com/resources/ro..._Authority.cer
(I'm sure there must be a better way to find the correct root certificate ... not just it's description :-( )
I renamed this to .pem and reran c_rehash .
So the chain appears to be:
imap.googlemail.com is certified by google-Internet-Authority which
is in turn certified by Equifax Secure Certificate Authorit.