Final hurdle: How to generate SSL Certificate for Outlook?

Discussion in 'Installation/Configuration' started by jimwil, Jan 23, 2006.

  1. jimwil

    jimwil New Member

    Hi all, my first post here :)

    I've just followed the EXCELLENT article here:

    http://www.howtoforge.com/perfect_setup_ubuntu_5.10

    and I now have a fully working server running postfix etc.

    I'm looking for some final final help, and that is: how can I generate a certificate for Microsoft Outlook, so that I cna use postfix in TLS (SSL) mode? I know I need to export in p12 format using openssl but I just don't know the correct parameters.

    As per the HOWTO document above, my files are

    /etc/postfix/ssl/cacert.pem
    /etc/postfix/ssl/cakey.pem
    /etc/postfix/ssl/smtpd.crt
    /etc/postfix/ssl/smtpd.csr
    /etc/postfix/ssl/smtpd.key

    I can export a certificate, and import it on WIndoze (via Internet Explorer), and I have chanegd /etc/postfix/main.cf to have smtpd_tls_auth_only = yes, but when I send within Outlook i get the annoying "certificate isn;t trusted do you want to continue" - with every message I send! Obviosuly I'd like to suppress that message as I know the server is trusted.

    Many thanks in advance,



    Jim
     
  2. falko

    falko Super Moderator

  3. jimwil

    jimwil New Member

    Sorry, i think you've misunderstood me. The certificates on my server are fine, I can login via telnet and STARTTLS etc. But what I need is a certificate which I can then import into Outlook.

    Can I already use the files on my server? If so, which ones are they?

    Many thanks,


    Jim
     
  4. falko

    falko Super Moderator

    I've never heard of certificate files that you must import into Outlook.
    If the certificates on the server are correct, then the warning will disappear.
     
  5. jimwil

    jimwil New Member

    Not quite.

    My certificates are self-signed, as per the instructions in the howto. When you send to that mailserver using SSL Outlook prompts you with:

    "The server you are connecting to is using a security certificate that could not be verified.

    A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    Do you want to contiune using this server?"



    If you choose YES then you can send through the mailserver quite happily. But as soon as you quit Outlook and restart it, you get the warning again. Which is obviously a PITA.

    The internet is absolutely riddled with similar questions (search google for Outlook root certificate "could not be verified") but I just cannot find a definitive answer which matches the steps I've gone through in the howto.

    i.e. the HOWTO tells me how to setup the server, but I need to final steps to create the certificate for import into the client.

    The stuff at http://ohno.mrbill.net/pipermail/linuxmanagers/2003-April/001100.html looks okay, but I still can't seem to get the right combination of ciles and parameters.

    Heeeeelllllpppppppppp!!!!!! (please)

    Jim
     
  6. jimwil

    jimwil New Member

    Okay, I'm answering my own quesion, but it's for the benefit of others trying to do the same thing.

    My mistake was missing the -inkey parameter to openssl. So, assuming you have followed the precise instructions in the Breezy howto (http://www.howtoforge.com/perfect_setup_ubuntu_5.10), you can create a certificate for Outlook using the following:

    cd /etc/postfix/ssl/

    openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

    Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.

    Hope this helps others. Perhaps this HOWTO could be edited to put this as an optional step?


    Jim
     
  7. till

    till Super Moderator

    Thanks for posting the solution :) I will add it to the howto.
     
  8. rdtech

    rdtech New Member

    thanks for the advise. thats what I was looking for.
     
  9. rdtech

    rdtech New Member

    If I have multiple web sites, do I use the same cert for all of them to put in their outlook(IE)

    Now does this effect the any other ssl websites in the server.
     

Share This Page