OT: Cyrus-imap openssl and Outlook

Kevin Williams kwilliams at tarity.com
Tue Sep 21 16:14:42 EDT 2004


On Tue, 2004-09-21 at 12:12, James Miller wrote:
> I'm having a tuff time with Outlook 2000 and openssl.  Here's my situation:
> I have cyrus-imapd 2.2.8 w/TLS enabled.  Basically I create my CA:
> openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days
> 3650 -config ./openssl.cnf


> When I start Outlook and open up the imap mailbox I get the following
> message:
> "The server you are connected to is using a security certificate that could
> not be verified.
> 0x800b010f
> Do you want to continue using this server?
> Y/N"
> The 0x800b010f error seems to indicate that the common name in the server
> cert is not identical to the hostname but I'm sure that it is
> (commonName_default	= mailbox.simutronics.com -- which is the FQDN of the
> server)
> Anyway, I choose yes and the imap mailbox opens fine, but, I would like to
> get rid of the annoying message and have Outlook trust the cert.  I have no
> problems importing both the RootCA cert and the server cert as trusted root
> certificates but Outlook still complains:

How did you import the cert for trust purposes?

> openssl x509 -in cacert.pem -out cacert.crt
> openssl x509 -in cyrus.pem -out cyrus.crt
> I've even tried creating the RootCA and Server certs with the same CN values
> (" mailbox.simutronics.com") and with different CN values (RootCA CN
> "Mailbox Certificate Authority" -- Server cert CN
> "mailbox.simutronics.com").  If there's any other info I can provide to help
> figure this out please let me know -- I've attached my openssl.cnf, RootCA
> and server cert as zip attachment if anyone cares to take a look.

I might be guessing at the wrong problem here, but I'm pretty sure your
issue has nothing to do with signing the certificate.  When creating
your own certificate (or CA), you will always get this pop up from
Outlook (or Evolution).  This is because you created it.  I believe it's
complaining that you (as a company) aren't trusted.  

There are two ways around this:
1.  Buy a certificate from a TRUSTED authority, typically from Verisign
or Thawte (Thawte is offering one at $159 I believe).

2. (haven't tried this but am told it works) Go into Internet Explorer,
and in the properties for certificates you can add your company as

Hope this helps,

Kevin Williams

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list