Re: [Exim] TLS and Intermediate (root) certificates

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: exim-users
CC: William Gerken
Subject: Re: [Exim] TLS and Intermediate (root) certificates

On Fri, 11 Jan 2002 13:24:06 +0200, Sheldon Hearn wrote:

> I'll scratch around on the FreeBSD mailing lists and see if any of the
> OpenSSL gurus will bite. I'd urge folks on other technical mailing
> lists to try the same.


Ha! Struck gold!

I now have MS Outlook sending and receiving mail securely and without
silly warnings to and from Ian Freislich's BSD-licensed popd and Exim
respectively.

The key was a long, but very helpful explanation of the fundamental
problem from Terry Lambert, a freebsd-hackers resident. Once his mail
had cleared up my understanding of how this stuff actually works, it
didn't take long to google up cookbook solutions.

Unfortunately, I don't have time to write up a suitable FAQ entry /
HOWTO, but at least this'll make it into the archives.

First, read this message:

http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com

Then, follow the instructions found on these two (consecutive) pages:

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm

Two points on the PKI Book literature:

1) It's assumed that it's okay to use a passphrase-protected key to
encrypt the user/site/leaf certificate. If this isn't acceptable,
you seem to be able to "strip out" the passphrase as follows:

    openssl rsa -in user.key -our user.key.new
    mv user.key.new


This should be done immediately after user.key is created.

2) The sign.sh script is available in the mod_ssl distribution,
available at:

http://www.modssl.org/source/

Having followed the instructions, you end up with the following useful
files:

a) ca.crt

This file should be installed into the client software as a trusted
root certification authority. In Windows XP, this can be done as
follows:

1. Call the file ca_cert.cer .
2 Double-click on the file.
3 "Install Certificate".
4 "Next".
5 "Place all certificates in the following store".
6 "Browse...".
7 "Trusted Root Certification Authorities".
8 "OK".
9 "Next".
10 "Finish".
11 "Yes".
12 "OK".

b) user.crt
user.key

These files should be installed into the server software. In Exim, this
can be done as follows:

1 Add these lines to the configure file:

      tls_certificate = /usr/local/etc/exim/tls_cert
      tls_privatekey = /usr/local/etc/exim/tls_key


   2  Install user.crt and user.key as tls_cert and tls_key
      respectively in the appropriate directory.


Hope that helps!

Ciao,
Sheldon.

PS: I have no idea what I'm talking about.  I just beat it with the ugly
    stick until it worked.  You're welcome to ask me for help with this
    stuff, but don't get your hopes up. :-)