Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2004
    Posts
    111

    self signed Root CA for client using ssl - SMTP

    What I want to do:
    Allow users to use my smtp (pop3 allready done) by email clients (ie. Outlook Express) without any stupid info, and not paying 3 party for verlifing cert

    To do this I had setup ssl smtp. All if working fine. SSL pop3 works without any stupid infos, but when using SSL smtp outlook says:


    A certificate you are connecting to is using a security certificate that cound not be verified.

    A certificate chain processed, but terminated in a root certificate which is not trusted by trust provider

    Do you want to continue using this server?

    yes/no
    If clicked yes it works fine. So I want to elimiate this message

    To do this I have to generate self signed Root CA and distributate it to users of my mail server.

    here is described how to do it
    http://www.nyetwork.org/wiki/ssl_root_ca_new

    I have whm/cpanel on my servers. So basicly ssl cert is the one that is generated throu WHM for WHM+cpanel. And it is in /usr/local/ssl/share/ssl/certs

    I tried in many ways make this Root CA and import it into windows/outlook Root CA's store.

    for example I tried to

    openssl crl2pkcs7 -nocrl -certfile domain.com.crt -outform DER -out domain.com.pkcs7

    there domain.com.crt was cert for WHM+cpanel

    However all this failed and Outlook express still prints same message about not signed cert by root CA.

    Any help will be apriciated on this one.

  2. #2
    Join Date
    Mar 2003
    Posts
    12,770
    First of all, you need to have a valid Certificate, get 1 at ev1 (starter ssl certificate at 9 dollars) and make sure to assign it to your hostname.

    then edit /etc/exim.crt and replace it with your web certificate from ev1 then edit /etc/exim.key and replace it with your private key.

    Use your hostname to send and receive emails using ssl and you're done!



    Net
    .
    JoneSolutions.Com is on the net providing services and support 24/7 since 2001.
    .

  3. #3
    Join Date
    Apr 2004
    Posts
    111
    You didnt read carefully. I want to make my own root ca then distributate it to users, and this root ca will verify cert allready used by ssl SMTP (exim)

  4. #4
    Join Date
    Mar 2003
    Posts
    12,770
    I read it CAFEFULLY man....

    If you were able to make your own root ca without those printed error in outlook, let me know :-)
    .
    JoneSolutions.Com is on the net providing services and support 24/7 since 2001.
    .

  5. #5
    Join Date
    Apr 2004
    Posts
    111
    look at

    http://www.randyperkins.com/mailtools/ssl_mail.html
    http://www.nyetwork.org/wiki/ssl_root_ca_new

    it is possible, but You will have to distribute Root CA cert for all users, and all users will have to import it into their windows root ca store.

    anyway no more talk about nothing. Make a room for someone thats knows how to do it practicly...

    Anyone any tips?

  6. #6
    Join Date
    Apr 2004
    Posts
    111
    Originally posted by net
    First of all, you need to have a valid Certificate, get 1 at ev1 (starter ssl certificate at 9 dollars) and make sure to assign it to your hostname.

    then edit /etc/exim.crt and replace it with your web certificate from ev1 then edit /etc/exim.key and replace it with your private key.

    Use your hostname to send and receive emails using ssl and you're done!



    Net
    You actualy were right in some ways

    You just have to replace /etc/exim.crt /etc/exim.key with the ones generated for your WHM/cpanel. cpop (cpanel pop3 server) crt and keys are replaced automaticly

    and then Users of your smtp just have to add your cpanel cert to trusted (for exaple by opening cpanel page by IE) and they will never be bothered about certs for SSL pop3/smtp

    As for self signed Root CA thats also easy. I made it. When end user will import your Root CA then he will not have to add your cpanel/whm cert to trusted! But in both ways he have to import something so I will for now stick to makeing users import just cpanel cert

  7. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •