On Fri, 11 Jan 2002 13:24:06 +0200, Sheldon Hearn wrote:
> I'll scratch around on the FreeBSD mailing lists and see if any of the
> OpenSSL gurus will bite. I'd urge folks on other technical mailing
> lists to try the same.
Ha! Struck gold!
I now have MS Outlook sending and receiving mail securely and without
silly warnings to and from Ian Freislich's BSD-licensed popd and Exim
respectively.
The key was a long, but very helpful explanation of the fundamental
problem from Terry Lambert, a freebsd-hackers resident. Once his mail
had cleared up my understanding of how this stuff actually works, it
didn't take long to google up cookbook solutions.
Unfortunately, I don't have time to write up a suitable FAQ entry /
HOWTO, but at least this'll make it into the archives.
First, read this message:
http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com
Then, follow the instructions found on these two (consecutive) pages:
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm
Two points on the PKI Book literature:
1) It's assumed that it's okay to use a passphrase-protected key to
encrypt the user/site/leaf certificate. If this isn't acceptable,
you seem to be able to "strip out" the passphrase as follows:
openssl rsa -in user.key -our user.key.new
mv user.key.new
This should be done immediately after user.key is created.
2) The sign.sh script is available in the mod_ssl distribution,
available at:
http://www.modssl.org/source/
Having followed the instructions, you end up with the following useful
files:
a) ca.crt
This file should be installed into the client software as a trusted
root certification authority. In Windows XP, this can be done as
follows:
1. Call the file ca_cert.cer .
2 Double-click on the file.
3 "Install Certificate".
4 "Next".
5 "Place all certificates in the following store".
6 "Browse...".
7 "Trusted Root Certification Authorities".
8 "OK".
9 "Next".
10 "Finish".
11 "Yes".
12 "OK".
b) user.crt
user.key
These files should be installed into the server software. In Exim, this
can be done as follows:
1 Add these lines to the configure file:
tls_certificate = /usr/local/etc/exim/tls_cert
tls_privatekey = /usr/local/etc/exim/tls_key
2 Install user.crt and user.key as tls_cert and tls_key
respectively in the appropriate directory.
Hope that helps!
Ciao,
Sheldon.
PS: I have no idea what I'm talking about. I just beat it with the ugly
stick until it worked. You're welcome to ask me for help with this
stuff, but don't get your hopes up. :-)
