How to make cerificate for client installation?

lkolchin at lkolchin at
Mon Oct 10 07:40:59 EDT 2005

Thanks for your reply.

I've found this on

"Create a PKCS#7 format of the Root CA's public certificate:

This will allow clients to easily import it into their their PKI storage places, such as Outlook Express and Netscape.

cd /usr/local/
openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7

ca.pkcs7 will only contain the public portion of the CA's certificate, so you can email it to whomever with instructions on how to import it, put it up for download, or whatever."

I used this syntax,
but it seems that I can't import it into Outlook Express certificates (I get 'success' message but no such certificate created).

Any help?

Leon Kolchinsky 

-----Original Message-----
From: info-cyrus-bounces at [mailto:info-cyrus-bounces at] On Behalf Of Cristian Mitrana
Sent: Monday, October 10, 2005 11:54 AM
To: info-cyrus at
Subject: Re: How to make cerificate for client installation?

* lkolchin at <lkolchin at> [10-10-05 10:46]:
> Hello All,
> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my system.
> I want users to be able to install certificate on their computer (on OE or another mail-client) and not press "Yes" on the nag screen on every login.
> How can I do it so client certificate only contain the public portion of the certificate (so it is secure to publish this certificate on the net)?
  This depends on the client used and it's highly specific. And has nothing to do with cyrus.

> Background Info:
> This is how I've created certificates:
> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out 
> cert.pem # ls .  ..  cert.pem  privkey.pem # cat privkey.pem cert.pem 
> > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem 
> # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600 
> /etc/ssl/certs/cert.pem

 It is enough to provide the client with the certificate and import it into it's trust database (as I said, depends on the application).
Depending on the application you might want to convert it to DER (with openssl x509 -in ... -out cert.der -outform der ).
 The private part is the privkey.pem and that you should keep safe.

 For windows (OE) you have to use the mmc program, TB has a special  settings tab which lets you import in PEM format, I don't know about  other clients on windows.

Cyrus Home Page: Cyrus Wiki/FAQ: List Archives/Info:

More information about the Info-cyrus mailing list