-
Notifications
You must be signed in to change notification settings - Fork 179
Q1701
I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong?
It seems that some clients require that the certificate presented by the server be a user (also called leaf or site ) certificate, and not a self-signed certificate. In this situation, the self-signed certificate must be installed on the client as a trusted root certification authority (CA), and the certificate used by the server must be a user certificate signed with that self-signed certificate. For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/. Here is a quick overview. First, read this message: http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com Then, follow the instructions found on these two (consecutive) pages: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm Two points on the PKI Book literature:
- It's assumed that it's okay to use a passphrase-protected key to encrypt the user/site/leaf certificate. If this isn't acceptable, you seem to be able to strip out the passphrase as follows:
openssl rsa -in user.key -our user.key.new
user.key.new
This should be done immediately after user.key is created.
- The sign.sh script is available in the mod_ssl distribution, available at http://www.modssl.org/source/.
Having followed the instructions, you end up with the following files: (a) ca.crt This file should be installed into the client software as a trusted root certification authority. In Windows XP, this can be done as follows:
Call the file ca_cert.cer br_ Double-click on the file br_ "Install Certificate"; br_ "Next" br_ "Place all certificates in the following store" br_ "Browse..." br_ "Trusted Root Certification Authorities" br_ "OK" br_ "Next" br_ "Finish" br_ "Yes" br_ "OK"
(b) user.crt and user.key These files should be installed into the server software. In Exim, this can be done by adding these lines to the configuration file:
tls_certificate = /usr/local/etc/exim/tls_cert
tls_privatekey = /usr/local/etc/exim/tls_key
Then install user.crt and user.key under the names tls_cert and tls_key in the appropriate directory.
- I am trying to set up an Exim server that uses a self-signed certificate
- How can I arrange for Exim to advertise support for SMTP authentication
- I have some legacy clients that don't use STARTTLS, but which expect to
- When my Outlook Express 6.0 client sends a STARTTLS command to begin a
- I have listed some hosts in
tls_try_verify_hosts
, but when they - I have listed some hosts in
tls_verify_hosts
and provided them with - I am trying to use TLS with Evolution as a client, and keep seeing this
- I trying to use TLS with Outlook as a client on a box that is running