How to make cerificate for client installation?

Simon Matter simon.matter at
Mon Oct 10 09:03:36 EDT 2005

> Hi,
> Thanks for your reply.
> I've found this on
> "Create a PKCS#7 format of the Root CA's public certificate:
> This will allow clients to easily import it into their their PKI storage
> places, such as Outlook Express and Netscape.
> cd /usr/local/
> openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7
> ca.pkcs7 will only contain the public portion of the CA's certificate, so
> you can email it to whomever with instructions on how to import it, put it
> up for download, or whatever."
> I used this syntax,
> but it seems that I can't import it into Outlook Express certificates (I
> get 'success' message but no such certificate created).
> Any help?

Hi Leon,

this is how I created a pfx file for Outlook users:
cat cyrus-imapd.pem postfix.pem slapd.pem webmail.pem > infile.pem
openssl pkcs12 -in infile.pem -certfile infile.pem -export -out outfile.pfx

The pfx file can then be imported and I've been told it works.


> Regsrds,
> Leon Kolchinsky
> -----Original Message-----
> From: info-cyrus-bounces at
> [mailto:info-cyrus-bounces at] On Behalf Of Cristian
> Mitrana
> Sent: Monday, October 10, 2005 11:54 AM
> To: info-cyrus at
> Subject: Re: How to make cerificate for client installation?
> * lkolchin at <lkolchin at> [10-10-05 10:46]:
>> Hello All,
>> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my
>> system.
>> I want users to be able to install certificate on their computer (on OE
>> or another mail-client) and not press "Yes" on the nag screen on every
>> login.
>> How can I do it so client certificate only contain the public portion of
>> the certificate (so it is secure to publish this certificate on the
>> net)?
>   This depends on the client used and it's highly specific. And has
> nothing to do with cyrus.
>> Background Info:
>> This is how I've created certificates:
>> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out
>> cert.pem # ls .  ..  cert.pem  privkey.pem # cat privkey.pem cert.pem
>> > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem
>> # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600
>> /etc/ssl/certs/cert.pem
>  It is enough to provide the client with the certificate and import it
> into it's trust database (as I said, depends on the application).
> Depending on the application you might want to convert it to DER (with
> openssl x509 -in ... -out cert.der -outform der ).
>  The private part is the privkey.pem and that you should keep safe.
>  For windows (OE) you have to use the mmc program, TB has a special
> settings tab which lets you import in PEM format, I don't know about
> other clients on windows.
>  mitu
> ----
> Cyrus Home Page: Cyrus Wiki/FAQ:
> List Archives/Info:
> ----
> Cyrus Home Page:
> Cyrus Wiki/FAQ:
> List Archives/Info:

More information about the Info-cyrus mailing list