Auteur: Erik Bussink Datum: Aan: exim-users Onderwerp: [Exim] SSL cert request signed by Microsoft CA for Exim 4.10 with TLS
This is a bit off-topic, but I could not find much information about
signing OpenSSL generated certificates with a Microsoft (Win2000 server)
Certificate Authority and using these signed certificate for the TLS
support in Exim 4.10. So here are the steps I followed to get a
successfull result. There might be a better way, or easier one, but
this has worked for me.
I found myself in the situation of wanting TLS support for Exim 4.10, yet
wanting to leverage the Certificate Authority in use in my company. This
Certificate Authority runs on Microsoft Windows 2000 Server (SP3), and
is in use for Certificate Revocation Lists (CRL) and Encrypted File System
(EFS) recovery agents.
I proceeded to generate an OpenSSL (0.96b) RSA key. I then moved the
certificate.csr to the Microsoft CA and signed it [out of the scope of
this email]. I then exported the signed certificate using the Base64
setting and with the Certification Chain (saves the information in the
PKCS#7 format). Having moved the certificate.p7b back to my mail server,
I used the following command to extract the information from the PKCS#7
to a temporary file and edit it to fit the parameters of a .crt file
I then edited the certificate.crt file to remove the CA's certificate
information and public key, leaving only the parts between CERTIFICATE
and END CERTIFICATE. Extract of certificate.crt is below:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:21:1a:14:00:00:00:00:00:05
Signature Algorithm: sha1WithRSAEncryption
Issuer: Email=someone@???, O=John Doe, CN=Doe CA
Validity
Not Before: Sep 9 08:57:19 2002 GMT
Not After : Sep 9 08:57:19 2004 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
07:ec:a3:9a:4f:50:9a:a1:f2:eb:f9:ef:3a:8b:44:
...
hu6z5Lm8nkY=
-----END CERTIFICATE-----
One question I'm still considering, and I haven't found on this
mailing list or in some documentation, would it be possible to get
EXIM to TLS encrypt outgoing SMTP connections with remote SMTP
servers ? I understand that my EXIM server will not have the remote's
TLS certificate, but does it really matter ? I think encrypting the
SMTP traffic would be a nicer than having normal cleartext traffic.