How to make cerificate for client installation?

lkolchin at lkolchin at
Tue Oct 11 04:37:34 EDT 2005

Hi Simon,

Your method is working, but this way you are sending also private key and I believe it's insecure.
I've found the 'easy way' of installing the certificate:
There is an easy solution to avoiding clicking 'yes' every time-
Close Outlook 
Open up Internet Explorer, go to, this should be the same server name you entered as the mail server, and the same name the certificate has been generated under 
you will be challenged about the validity of the secure certificate in the same manner as with Outlook 
Click view certificate, add certificate, automatic, it should be now added to the root certificate store 
Go back to outlook, open up, away you go without any future warnings

Best Regards,
Leon Kolchinsky

-----Original Message-----
From: Simon Matter [mailto:simon.matter at] 
Sent: Monday, October 10, 2005 3:04 PM
To: לאון קולצ'ינסקי
Cc: cristian.mitrana at; info-cyrus at
Subject: RE: How to make cerificate for client installation?

> Hi,
> Thanks for your reply.
> I've found this on
> "Create a PKCS#7 format of the Root CA's public certificate:
> This will allow clients to easily import it into their their PKI 
> storage places, such as Outlook Express and Netscape.
> cd /usr/local/
> openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7
> ca.pkcs7 will only contain the public portion of the CA's certificate, 
> so you can email it to whomever with instructions on how to import it, 
> put it up for download, or whatever."
> I used this syntax,
> but it seems that I can't import it into Outlook Express certificates 
> (I get 'success' message but no such certificate created).
> Any help?

Hi Leon,

this is how I created a pfx file for Outlook users:
cat cyrus-imapd.pem postfix.pem slapd.pem webmail.pem > infile.pem openssl pkcs12 -in infile.pem -certfile infile.pem -export -out outfile.pfx

The pfx file can then be imported and I've been told it works.


> Regsrds,
> Leon Kolchinsky
> -----Original Message-----
> From: info-cyrus-bounces at
> [mailto:info-cyrus-bounces at] On Behalf Of Cristian 
> Mitrana
> Sent: Monday, October 10, 2005 11:54 AM
> To: info-cyrus at
> Subject: Re: How to make cerificate for client installation?
> * lkolchin at <lkolchin at> [10-10-05 10:46]:
>> Hello All,
>> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on 
>> my system.
>> I want users to be able to install certificate on their computer (on 
>> OE or another mail-client) and not press "Yes" on the nag screen on 
>> every login.
>> How can I do it so client certificate only contain the public portion 
>> of the certificate (so it is secure to publish this certificate on 
>> the net)?
>   This depends on the client used and it's highly specific. And has 
> nothing to do with cyrus.
>> Background Info:
>> This is how I've created certificates:
>> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 
>> -out cert.pem # ls .  ..  cert.pem  privkey.pem # cat privkey.pem 
>> cert.pem
>> > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem
>> # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600 
>> /etc/ssl/certs/cert.pem
>  It is enough to provide the client with the certificate and import it 
> into it's trust database (as I said, depends on the application).
> Depending on the application you might want to convert it to DER (with 
> openssl x509 -in ... -out cert.der -outform der ).
>  The private part is the privkey.pem and that you should keep safe.
>  For windows (OE) you have to use the mmc program, TB has a special 
> settings tab which lets you import in PEM format, I don't know about 
> other clients on windows.
>  mitu
> ----
> Cyrus Home Page: Cyrus Wiki/FAQ:
> List Archives/Info:
> ----
> Cyrus Home Page: Cyrus Wiki/FAQ: 
> List Archives/Info: 

More information about the Info-cyrus mailing list