HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   Final hurdle: How to generate SSL Certificate for Outlook? (

jimwil 23rd January 2006 14:37

Final hurdle: How to generate SSL Certificate for Outlook?
Hi all, my first post here :-)

I've just followed the EXCELLENT article here:

and I now have a fully working server running postfix etc.

I'm looking for some final final help, and that is: how can I generate a certificate for Microsoft Outlook, so that I cna use postfix in TLS (SSL) mode? I know I need to export in p12 format using openssl but I just don't know the correct parameters.

As per the HOWTO document above, my files are


I can export a certificate, and import it on WIndoze (via Internet Explorer), and I have chanegd /etc/postfix/ to have smtpd_tls_auth_only = yes, but when I send within Outlook i get the annoying "certificate isn;t trusted do you want to continue" - with every message I send! Obviosuly I'd like to suppress that message as I know the server is trusted.

Many thanks in advance,


falko 23rd January 2006 18:49

You simply have to generate certificates with the correct details, then this warning message will disappear.

You can re-create the certificate by doing the steps on again.

jimwil 23rd January 2006 19:12

Sorry, i think you've misunderstood me. The certificates on my server are fine, I can login via telnet and STARTTLS etc. But what I need is a certificate which I can then import into Outlook.

Can I already use the files on my server? If so, which ones are they?

Many thanks,


falko 23rd January 2006 21:16

I've never heard of certificate files that you must import into Outlook.
If the certificates on the server are correct, then the warning will disappear.

jimwil 23rd January 2006 21:37

Not quite.

My certificates are self-signed, as per the instructions in the howto. When you send to that mailserver using SSL Outlook prompts you with:

"The server you are connecting to is using a security certificate that could not be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Do you want to contiune using this server?"

If you choose YES then you can send through the mailserver quite happily. But as soon as you quit Outlook and restart it, you get the warning again. Which is obviously a PITA.

The internet is absolutely riddled with similar questions (search google for Outlook root certificate "could not be verified") but I just cannot find a definitive answer which matches the steps I've gone through in the howto.

i.e. the HOWTO tells me how to setup the server, but I need to final steps to create the certificate for import into the client.

The stuff at looks okay, but I still can't seem to get the right combination of ciles and parameters.

Heeeeelllllpppppppppp!!!!!! (please)


jimwil 24th January 2006 14:13

Okay, I'm answering my own quesion, but it's for the benefit of others trying to do the same thing.

My mistake was missing the -inkey parameter to openssl. So, assuming you have followed the precise instructions in the Breezy howto (, you can create a certificate for Outlook using the following:

cd /etc/postfix/ssl/

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.

Hope this helps others. Perhaps this HOWTO could be edited to put this as an optional step?


till 24th January 2006 14:21

Thanks for posting the solution :) I will add it to the howto.

rdtech 28th June 2008 08:06

thanks for the advise. thats what I was looking for.

rdtech 28th June 2008 08:11

If I have multiple web sites, do I use the same cert for all of them to put in their outlook(IE)

Now does this effect the any other ssl websites in the server.

All times are GMT +2. The time now is 22:31.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.