OT: Cyrus-imap openssl and Outlook

Simon Matter simon.matter at ch.sauter-bc.com
Tue Sep 21 16:44:39 EDT 2004 

> Jim,
>
> On Tue, 2004-09-21 at 12:12, James Miller wrote:
>> I'm having a tuff time with Outlook 2000 and openssl.  Here's my
>> situation:
>> I have cyrus-imapd 2.2.8 w/TLS enabled.  Basically I create my CA:
>> openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days
>> 3650 -config ./openssl.cnf
>
> <snip>
>
>> When I start Outlook and open up the imap mailbox I get the following
>> message:
>> "The server you are connected to is using a security certificate that
>> could
>> not be verified.
>> 0x800b010f
>> Do you want to continue using this server?
>> Y/N"
>>
>>
>> The 0x800b010f error seems to indicate that the common name in the
>> server
>> cert is not identical to the hostname but I'm sure that it is
>> (commonName_default	= mailbox.simutronics.com -- which is the FQDN of
>> the
>> server)
>>
>> Anyway, I choose yes and the imap mailbox opens fine, but, I would like
>> to
>> get rid of the annoying message and have Outlook trust the cert.  I have
>> no
>> problems importing both the RootCA cert and the server cert as trusted
>> root
>> certificates but Outlook still complains:
>
> How did you import the cert for trust purposes?
>
>> openssl x509 -in cacert.pem -out cacert.crt
>> openssl x509 -in cyrus.pem -out cyrus.crt
>>
>> I've even tried creating the RootCA and Server certs with the same CN
>> values
>> (" mailbox.simutronics.com") and with different CN values (RootCA CN
>> "Mailbox Certificate Authority" -- Server cert CN
>> "mailbox.simutronics.com").  If there's any other info I can provide to
>> help
>> figure this out please let me know -- I've attached my openssl.cnf,
>> RootCA
>> and server cert as zip attachment if anyone cares to take a look.
>
>
> I might be guessing at the wrong problem here, but I'm pretty sure your
> issue has nothing to do with signing the certificate.  When creating
> your own certificate (or CA), you will always get this pop up from
> Outlook (or Evolution).  This is because you created it.  I believe it's
> complaining that you (as a company) aren't trusted.
>
> There are two ways around this:
> 1.  Buy a certificate from a TRUSTED authority, typically from Verisign
> or Thawte (Thawte is offering one at $159 I believe).
>
> 2. (haven't tried this but am told it works) Go into Internet Explorer,
> and in the properties for certificates you can add your company as
> trusted.

You can create a pfx file which can then be installed by pointing Internet
Exploder to it. This way every user can do it himself/herself. Create the
pfx file with something like this:

cat file1.pem file2.pem file3.pem > infile.pem
openssl pkcs12 -in infile.pem -certfile infile.pem -export -out outfile.pfx

Simon


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list