Hi, Thanks for your reply. I've found this on http://www.nyetwork.org/wiki/ssl_root_ca_new
"Create a PKCS#7 format of the Root CA's public certificate: This will allow clients to easily import it into their their PKI storage places, such as Outlook Express and Netscape. cd /usr/local/ssl.ca openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7 ca.pkcs7 will only contain the public portion of the CA's certificate, so you can email it to whomever with instructions on how to import it, put it up for download, or whatever." I used this syntax, but it seems that I can't import it into Outlook Express certificates (I get 'success' message but no such certificate created). Any help? Regsrds, Leon Kolchinsky -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cristian Mitrana Sent: Monday, October 10, 2005 11:54 AM To: info-cyrus@lists.andrew.cmu.edu Subject: Re: How to make cerificate for client installation? * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [10-10-05 10:46]: > Hello All, > > I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my > system. > > I want users to be able to install certificate on their computer (on OE or > another mail-client) and not press "Yes" on the nag screen on every login. > How can I do it so client certificate only contain the public portion of the > certificate (so it is secure to publish this certificate on the net)? This depends on the client used and it's highly specific. And has nothing to do with cyrus. > Background Info: > This is how I've created certificates: > # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out > cert.pem # ls . .. cert.pem privkey.pem # cat privkey.pem cert.pem > > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem > # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600 > /etc/ssl/certs/cert.pem It is enough to provide the client with the certificate and import it into it's trust database (as I said, depends on the application). Depending on the application you might want to convert it to DER (with openssl x509 -in ... -out cert.der -outform der ). The private part is the privkey.pem and that you should keep safe. For windows (OE) you have to use the mmc program, TB has a special settings tab which lets you import in PEM format, I don't know about other clients on windows. mitu ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
