How to make cerificate for client installation?

Simon Matter simon.matter at ch.sauter-bc.com
Mon Oct 10 09:03:36 EDT 2005


> Hi,
> Thanks for your reply.
>
> I've found this on http://www.nyetwork.org/wiki/ssl_root_ca_new
>
> "Create a PKCS#7 format of the Root CA's public certificate:
>
> This will allow clients to easily import it into their their PKI storage
> places, such as Outlook Express and Netscape.
>
> cd /usr/local/ssl.ca
> openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7
>
> ca.pkcs7 will only contain the public portion of the CA's certificate, so
> you can email it to whomever with instructions on how to import it, put it
> up for download, or whatever."
>
> I used this syntax,
> but it seems that I can't import it into Outlook Express certificates (I
> get 'success' message but no such certificate created).
>
> Any help?

Hi Leon,

this is how I created a pfx file for Outlook users:
cat cyrus-imapd.pem postfix.pem slapd.pem webmail.pem > infile.pem
openssl pkcs12 -in infile.pem -certfile infile.pem -export -out outfile.pfx

The pfx file can then be imported and I've been told it works.

Regards,
Simon

>
> Regsrds,
> Leon Kolchinsky
>
> -----Original Message-----
> From: info-cyrus-bounces at lists.andrew.cmu.edu
> [mailto:info-cyrus-bounces at lists.andrew.cmu.edu] On Behalf Of Cristian
> Mitrana
> Sent: Monday, October 10, 2005 11:54 AM
> To: info-cyrus at lists.andrew.cmu.edu
> Subject: Re: How to make cerificate for client installation?
>
> * lkolchin at univ.haifa.ac.il <lkolchin at univ.haifa.ac.il> [10-10-05 10:46]:
>
>> Hello All,
>>
>> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my
>> system.
>>
>> I want users to be able to install certificate on their computer (on OE
>> or another mail-client) and not press "Yes" on the nag screen on every
>> login.
>> How can I do it so client certificate only contain the public portion of
>> the certificate (so it is secure to publish this certificate on the
>> net)?
>
>   This depends on the client used and it's highly specific. And has
> nothing to do with cyrus.
>
>> Background Info:
>> This is how I've created certificates:
>> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out
>> cert.pem # ls .  ..  cert.pem  privkey.pem # cat privkey.pem cert.pem
>> > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem
>> # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600
>> /etc/ssl/certs/cert.pem
>
>
>  It is enough to provide the client with the certificate and import it
> into it's trust database (as I said, depends on the application).
> Depending on the application you might want to convert it to DER (with
> openssl x509 -in ... -out cert.der -outform der ).
>  The private part is the privkey.pem and that you should keep safe.
>
>  For windows (OE) you have to use the mmc program, TB has a special
> settings tab which lets you import in PEM format, I don't know about
> other clients on windows.
>
>  mitu
>
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ:
> http://cyruswiki.andrew.cmu.edu List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
> ----
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>




More information about the Info-cyrus mailing list