As a new DH user, it seems there are an awful lot of self-signed certs and generic certs in use, including webmail.dreamhost.com, mailboxes.dreamhost.com, *.mail.dreamhost.com, and others... it would be almost as easy, and produce far fewer warnings and errors on web browsers and email clients (e.g., the thunderbird wiki page has a section on ignoring this error!), to simply have a dreamhost CA cert and sign all of these other certs with that one. Then we could simply trust the dreamhost CA cert and the rest of the problems would go away. This is the way these certs are supposed to work in the first place. It's fine not to pay to register the CA or get the certs signed by a for-pay CA like Verisign, but at least follow the model.