hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : self signed Root CA for client using ssl - SMTP
Reply

Forum Jump

self signed Root CA for client using ssl - SMTP

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-26-2005, 06:59 AM
nand nand is offline
WHT Addict
 
Join Date: Apr 2004
Posts: 111

self signed Root CA for client using ssl - SMTP


What I want to do:
Allow users to use my smtp (pop3 allready done) by email clients (ie. Outlook Express) without any stupid info, and not paying 3 party for verlifing cert

To do this I had setup ssl smtp. All if working fine. SSL pop3 works without any stupid infos, but when using SSL smtp outlook says:


Quote:
A certificate you are connecting to is using a security certificate that cound not be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by trust provider

Do you want to continue using this server?

yes/no
If clicked yes it works fine. So I want to elimiate this message

To do this I have to generate self signed Root CA and distributate it to users of my mail server.

here is described how to do it
http://www.nyetwork.org/wiki/ssl_root_ca_new

I have whm/cpanel on my servers. So basicly ssl cert is the one that is generated throu WHM for WHM+cpanel. And it is in /usr/local/ssl/share/ssl/certs

I tried in many ways make this Root CA and import it into windows/outlook Root CA's store.

for example I tried to

openssl crl2pkcs7 -nocrl -certfile domain.com.crt -outform DER -out domain.com.pkcs7

there domain.com.crt was cert for WHM+cpanel

However all this failed and Outlook express still prints same message about not signed cert by root CA.

Any help will be apriciated on this one.



Sponsored Links
  #2  
Old 03-26-2005, 07:30 AM
net net is offline
Community Liaison
 
Join Date: Mar 2003
Posts: 11,140
First of all, you need to have a valid Certificate, get 1 at ev1 (starter ssl certificate at 9 dollars) and make sure to assign it to your hostname.

then edit /etc/exim.crt and replace it with your web certificate from ev1 then edit /etc/exim.key and replace it with your private key.

Use your hostname to send and receive emails using ssl and you're done!



Net

__________________
.
JoneSolutions.Com + SSS = Your Number One Choice On The Net - since 2001

It's Fully Managed and Secured. Ask us at sales @ jonesolutions.com .

  #3  
Old 03-26-2005, 07:34 AM
nand nand is offline
WHT Addict
 
Join Date: Apr 2004
Posts: 111
You didnt read carefully. I want to make my own root ca then distributate it to users, and this root ca will verify cert allready used by ssl SMTP (exim)

Sponsored Links
  #4  
Old 03-26-2005, 07:38 AM
net net is offline
Community Liaison
 
Join Date: Mar 2003
Posts: 11,140
I read it CAFEFULLY man....

If you were able to make your own root ca without those printed error in outlook, let me know :-)

__________________
.
JoneSolutions.Com + SSS = Your Number One Choice On The Net - since 2001

It's Fully Managed and Secured. Ask us at sales @ jonesolutions.com .

  #5  
Old 03-26-2005, 07:44 AM
nand nand is offline
WHT Addict
 
Join Date: Apr 2004
Posts: 111
look at

http://www.randyperkins.com/mailtools/ssl_mail.html
http://www.nyetwork.org/wiki/ssl_root_ca_new

it is possible, but You will have to distribute Root CA cert for all users, and all users will have to import it into their windows root ca store.

anyway no more talk about nothing. Make a room for someone thats knows how to do it practicly...

Anyone any tips?

  #6  
Old 03-26-2005, 09:15 AM
nand nand is offline
WHT Addict
 
Join Date: Apr 2004
Posts: 111
Quote:
Originally posted by net
First of all, you need to have a valid Certificate, get 1 at ev1 (starter ssl certificate at 9 dollars) and make sure to assign it to your hostname.

then edit /etc/exim.crt and replace it with your web certificate from ev1 then edit /etc/exim.key and replace it with your private key.

Use your hostname to send and receive emails using ssl and you're done!



Net
You actualy were right in some ways

You just have to replace /etc/exim.crt /etc/exim.key with the ones generated for your WHM/cpanel. cpop (cpanel pop3 server) crt and keys are replaced automaticly

and then Users of your smtp just have to add your cpanel cert to trusted (for exaple by opening cpanel page by IE) and they will never be bothered about certs for SSL pop3/smtp

As for self signed Root CA thats also easy. I made it. When end user will import your Root CA then he will not have to add your cpanel/whm cert to trusted! But in both ways he have to import something so I will for now stick to makeing users import just cpanel cert

Reply

Related posts from TheWhir.com
Title Type Date Posted
Google Blocks Fake SSL Certificates Issued by Indian Government Agency Web Hosting News 2014-07-09 10:11:34
Donuts Rolls Out Seven New gTLDs to Public Web Hosting News 2014-01-29 11:43:03
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08
Mozilla Updates CA Certificate Policy for Software Products Web Hosting News 2013-02-19 12:32:22
Netcraft Finds Bank, Government, Web Host Sites Using Vulnerable MD5-Signed SSL Certificates Web Hosting News 2012-09-04 15:50:45


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?