> Hi, > Thanks for your reply. > > I've found this on http://www.nyetwork.org/wiki/ssl_root_ca_new > > "Create a PKCS#7 format of the Root CA's public certificate: > > This will allow clients to easily import it into their their PKI storage > places, such as Outlook Express and Netscape. > > cd /usr/local/ssl.ca > openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7 > > ca.pkcs7 will only contain the public portion of the CA's certificate, so > you can email it to whomever with instructions on how to import it, put it > up for download, or whatever." > > I used this syntax, > but it seems that I can't import it into Outlook Express certificates (I > get 'success' message but no such certificate created). > > Any help?
Hi Leon, this is how I created a pfx file for Outlook users: cat cyrus-imapd.pem postfix.pem slapd.pem webmail.pem > infile.pem openssl pkcs12 -in infile.pem -certfile infile.pem -export -out outfile.pfx The pfx file can then be imported and I've been told it works. Regards, Simon > > Regsrds, > Leon Kolchinsky > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Cristian > Mitrana > Sent: Monday, October 10, 2005 11:54 AM > To: info-cyrus@lists.andrew.cmu.edu > Subject: Re: How to make cerificate for client installation? > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [10-10-05 10:46]: > >> Hello All, >> >> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my >> system. >> >> I want users to be able to install certificate on their computer (on OE >> or another mail-client) and not press "Yes" on the nag screen on every >> login. >> How can I do it so client certificate only contain the public portion of >> the certificate (so it is secure to publish this certificate on the >> net)? > > This depends on the client used and it's highly specific. And has > nothing to do with cyrus. > >> Background Info: >> This is how I've created certificates: >> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out >> cert.pem # ls . .. cert.pem privkey.pem # cat privkey.pem cert.pem >> > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem >> # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600 >> /etc/ssl/certs/cert.pem > > > It is enough to provide the client with the certificate and import it > into it's trust database (as I said, depends on the application). > Depending on the application you might want to convert it to DER (with > openssl x509 -in ... -out cert.der -outform der ). > The private part is the privkey.pem and that you should keep safe. > > For windows (OE) you have to use the mmc program, TB has a special > settings tab which lets you import in PEM format, I don't know about > other clients on windows. > > mitu > > ---- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: > http://cyruswiki.andrew.cmu.edu List Archives/Info: > http://asg.web.cmu.edu/cyrus/mailing-list.html > ---- > Cyrus Home Page: http://asg.web.cmu.edu/cyrus > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > > ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
