confusion about setting up certificates

Mon Mar 21 12:27:40 EST 2005

On Mon, 2005-03-21 at 10:00 -0600, Jim Miller wrote:
> > > I would greatly appreciate any suggestions.
> > >
> > > Here's the process I followed to setup my certificates -- I didn't
> > > do -nodes:
> > > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825
> > > openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \
> > > 		-out tempreq.pem -outform PEM
> > > openssl rsa < tempkey.pem > cyrus_key.pem
> > > openssl ca -in tempreq.pem -out cyrus_crt.pem
> > >
> > > cat cyrus_key.pem cyrus_crt.pem cacert.pem > /var/lib/cyrus/cyrus.pem
> > >
> > > Set this in imapd.conf
> > > tls_ca_file: /var/lib/cyrus/cyrus.pem
> > > tls_cert_file: /var/lib/cyrus/cyrus.pem
> > > tls_key_file: /var/lib/cyrus/cyrus.pem
> > >
> > >
> > > I then distribute the cacert.pem as mailserver.crt and users
> > import it into
> > > IE/Thunderbird w/out problem.
> > >
> > > Next I created a .p12 file from the cyrus_crt.pem for import into
> > > IE/Thunderbird again w/out problems.  Here's the process that I use to
> > > generate it.
> > > openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \
> > > -name "result of - openssl x509 -noout -in cyrus_crt.pem
> > -subject | sed -e
> > > 's;.*CN=;;' =-e 's;/Em.*;;'" \
> > > -cname "result of - openssl x509 -noout -n cacert.pem -subject | sed -e
> > > 's;.*CN=;;' -e 's;Em.*;;'" \
> > > -out mailserver.p12
> > >
> > -----
> > not arguing with anything that you've done but this is how I've gone
> > about it...
> >
> > openssl genrsa -des3 -out ca.key 2048
> > openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \
> > -days 3650 -key ca.key -out ca.cert
> > openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes \
> > -out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem \
> > -days 3650
> > openssl gendh 512 >> /etc/ssl/cyrus-global.pem
> > openssl x509 -in /etc/ssl/cyrus-global.pem -out /etc/ssl/cacert.crt
> >
> > Then I copy cacert.crt to a web server and let users 'INSTALL
> > CERTIFICATE' from this file (cacert.crt).
> >
> > and then in imapd.conf
> > tls_cert_file: /etc/ssl/cyrus-global.pem
> > tls_key_file: /etc/ssl/cyrus-global.pem
> > tls_ca_file: /etc/ssl/ca.cert
> >
> > I haven't a clue really what I am doing but it seems to work with the
> > only problem is that entries in subjectAltName don't seem to work for
> > Outlook clients. I probably need to generate specific certs for each cn
> > but haven't gotten around to that yet. YMMV
> >
> > ps - I used this info...
> > <http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/SSL-Certificates-
> > HOWTO>
> >
> 
> Sorry for not responding sooner, I've been out of the office for a few days.
> 
> I appreciate your input Craig.  Are you saying you are able to use Outlook
> (OE, Outlook2000, Outlook 2003) with tls_require_certs: true and the
> certificates you're using?
> 
> What are the implications of the tls_require_certs?
> 
> I must say I'm rather confused as to why Thunderbird has no problems and
> Outlook does.
> 
> The problem seems to lie at the Server-to-Client handshake
> 4 8  0.3798 (0.0004)  S>C  Alert
>      level           fatal
>      value           handshake_failure
----
yes, I am saying that Outlook users can use the cert created in my
fashion. 

Outlook users are alerted that the cert is from an untrusted CA

I make the cacert.crl file available to users via http server

If they click on it with IE, they are offered choice to 'save' or
'install' - If they 'install' they are presented with 'Install
Certificate' wizard which when completed, will satisfy the issue of
'untrusted CA'

If they 'save' it, they would have to then either add it manually from
Outlook -> Tools -> Options -> Security -> Digital IDs -> Add 
or do similar in Internet Explorer

Craig

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html