Re: [Exim] TLS and certificate chains

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: John Holman
CC: exim-users
Subject: Re: [Exim] TLS and certificate chains
On Wed, 3 Apr 2002, John Holman wrote:

> I've obtained a server certificate from GlobalSign (under the UKERNA
> deal for UK HE institutions, in fact) but am having difficulty
> configuring Exim to use it. I think the problem is that the client needs
> to receive not only the server certificate itself, but also a couple of
> intermediate GlobalSign certificates linking it with the root
> certificate known to the client.


All I know about this was what I learned from Sheldon Hearn, who posted
stuff on this list some time ago when he was chasing this. The Exim 4
manual has a summary, which is this:

------------------------------------------------------------------------
A self-signed certificate made in this way is sufficient for testing, and may
be adequate for all your requirements if you are mainly interested in
encrypting transfers, and not in secure identification.

However, many clients require that the certificate presented by the server be
a user (also called 'leaf' or 'site') certificate, and not a self-signed
certificate. In this situation, the self-signed certificate described above
must be installed on the client host as a trusted root "certification
authority" (CA), and the certificate used by Exim must be a user certificate
signed with that self-signed certificate.

For information on creating self-signed CA certificates and using them to sign
user certificates, see the "General implementation overview" chapter of the
Open-source PKI book, available online at http://ospkibook.sourceforge.net/.
------------------------------------------------------------------------

Now, you don't have a self-signed certificate, but this commentary
suggests that you have to have a GlobalSign certificate installed as a
CA on your host. No, I don't know the details of how to do this...

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.