using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista - Openssl

This is a discussion on using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista - Openssl ; Hello, i have working nnrpd with SSL configuration. I am using my custom generated SSL certificate signed with my own Certification Authority. Each time i am accessing news in Windows Mail client i am getting message , that certificate is ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista

  1. using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista

    Hello,

    i have working nnrpd with SSL configuration. I am using my custom generated
    SSL certificate signed with my own Certification Authority. Each time i am
    accessing news in Windows Mail client i am getting message , that
    certificate is not trusted and cannot be verified.
    I want to get rid off this message by importing my custom CA (or probably
    custom certificate) into windows certification storage and make it trusted
    so i will not get this message again.

    So far, i have converted my cacert.pem to der format using :
    openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der

    Then, i have converted my nnrpd certificate to pk12 format using:
    openssl pkcs12 -export -clcerts -in nnrpd.cert.pem -inkey nnrpd.key.pem -out
    clcert.p12

    Then i have by clicking on cacert.der and following tutorial installed CA
    certificate into Windows Vista. In second step by clicking on clcert.p12 i
    have installed client certificate.
    But so far, it is not working and i am allways getting message about not
    trusted certificate.

    Can someone help me please, or point me to solution?

    Thanks in advance!

    Regards,

    David


  2. Re: using NNTPS (nnrp with ssl) with windows mail / thunderbird onwindows vista


    Your logic is correct, in Thunderbird, you have the preferences|advanced and
    this shows you a set of tabs, the last one of which is "Certificates". Press
    View Certificates Button and you get another dialog with 4 tabs

    1.- the first tab (your certificates) is for the pk12 ones
    2.- other people's certs, for the pem of other people
    3.- websites certs
    4.- and authorities to put your CA cert.

    Just make sure your certificate is actually one "son" of your CA.

    It is right To make one CA cert with the 509 extensions set to CA
    X509v3 Basic Constraints:
    CA:TRUE
    X509v3 Key Usage:
    Certificate Sign, CRL Sign
    Netscape Cert Type:
    SSL CA, S/MIME CA

    But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with those
    extensions not set as CA
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Cert Type:
    SSL Client, SSL Server, S/MIME, Object Signing
    X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment
    Netscape Comment:

    I know of important companies doing this mistake.
    The second cert has to be one SIGNED by the first CA authority, not a
    selfsigned one with CA fields "off" of false.
    Said in other words: the second cert is the result or output of a CSR
    (certificate signing request) signed by the CA cert.

    Thunderbird accepts PEM format, so you don't need the DER transformation.

    The above outputs are part of "openssl x509 -in anycert.pem -text"



    David Hlacik wrote:
    >
    > Hello,
    >
    > i have working nnrpd with SSL configuration. I am using my custom
    > generated
    > SSL certificate signed with my own Certification Authority. Each time i am
    > accessing news in Windows Mail client i am getting message , that
    > certificate is not trusted and cannot be verified.
    > I want to get rid off this message by importing my custom CA (or probably
    > custom certificate) into windows certification storage and make it trusted
    > so i will not get this message again.
    >
    > So far, i have converted my cacert.pem to der format using :
    > openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der
    >
    > Then, i have converted my nnrpd certificate to pk12 format using:
    > openssl pkcs12 -export -clcerts -in nnrpd.cert.pem -inkey nnrpd.key.pem
    > -out
    > clcert.p12
    >
    > Then i have by clicking on cacert.der and following tutorial installed CA
    > certificate into Windows Vista. In second step by clicking on clcert.p12 i
    > have installed client certificate.
    > But so far, it is not working and i am allways getting message about not
    > trusted certificate.
    >
    > Can someone help me please, or point me to solution?
    >
    > Thanks in advance!
    >
    > Regards,
    >
    > David
    >
    >


    --
    View this message in context: http://www.nabble.com/using-NNTPS-%2...p18069930.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista

    Hello all,

    lately i am facing problems with Certification Authorities as mentioned in
    mails attached. Hope anyone knowns centos perl script CA for generating
    certificates (i believe it is not only centos script and other distros use
    it also.
    I have used centos script /etc/pki/tls/misc/CA my own certificate authority.
    In next steps i am generating requests for certificates to services such as
    LDAP,NNRPD and lately signing requests with CA. My approach is to import my
    own CA into Windows Vista OS as root CA and trusted, to avoid messages in
    clients such as "certificate could not be verified, certificate is not
    signed or cerficate authority cannot be verified".

    When i asked for help at openssl mailinglist i have recieved interesting
    answer :

    Just make sure your certificate is actually one "son" of your CA.
    >
    > It is right To make one CA cert with the 509 extensions set to CA
    > X509v3 Basic Constraints:
    > CA:TRUE
    > X509v3 Key Usage:
    > Certificate Sign, CRL Sign
    > Netscape Cert Type:
    > SSL CA, S/MIME CA
    >
    > But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with
    > those
    > extensions not set as CA
    > X509v3 extensions:
    > X509v3 Basic Constraints:
    > CA:FALSE
    > Netscape Cert Type:
    > SSL Client, SSL Server, S/MIME, Object Signing
    > X509v3 Key Usage:
    > Digital Signature, Non Repudiation, Key Encipherment
    > Netscape Comment:
    >
    > I know of important companies doing this mistake.
    > The second cert has to be one SIGNED by the first CA authority, not a
    > selfsigned one with CA fields "off" of false.
    > Said in other words: the second cert is the result or output of a CSR
    > (certificate signing request) signed by the CA cert.



    Yes, that is true, so why this is not so in case of /etc/pki/tls/misc/CA .
    All my generated server certificates signed with own CA, using this script
    have :

    X509v3 extensions:
    > X509v3 Basic Constraints:
    > CA:FALSE
    > Netscape Comment:
    > OpenSSL Generated Certificate
    > X509v3 Subject Key Identifier:
    > CC:FC:A1:2DE:CD1:9E:34:F3:89:08:F96:30:79:AF:EE:6B:94
    > X509v3 Authority Key Identifier:
    >
    > keyid:C7:B9:B0:BC:5A:A2:73:18:02:F2:80:E2:8A:0C:BC :58:0C:87:14:95



    Thanks in advance!

    DAVID


    On Mon, Jun 23, 2008 at 4:02 PM, javierm wrote:

    >
    > Your logic is correct, in Thunderbird, you have the preferences|advanced
    > and
    > this shows you a set of tabs, the last one of which is "Certificates".
    > Press
    > View Certificates Button and you get another dialog with 4 tabs
    >
    > 1.- the first tab (your certificates) is for the pk12 ones
    > 2.- other people's certs, for the pem of other people
    > 3.- websites certs
    > 4.- and authorities to put your CA cert.
    >
    > Just make sure your certificate is actually one "son" of your CA.
    >
    > It is right To make one CA cert with the 509 extensions set to CA
    > X509v3 Basic Constraints:
    > CA:TRUE
    > X509v3 Key Usage:
    > Certificate Sign, CRL Sign
    > Netscape Cert Type:
    > SSL CA, S/MIME CA
    >
    > But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with
    > those
    > extensions not set as CA
    > X509v3 extensions:
    > X509v3 Basic Constraints:
    > CA:FALSE
    > Netscape Cert Type:
    > SSL Client, SSL Server, S/MIME, Object Signing
    > X509v3 Key Usage:
    > Digital Signature, Non Repudiation, Key Encipherment
    > Netscape Comment:
    >
    > I know of important companies doing this mistake.
    > The second cert has to be one SIGNED by the first CA authority, not a
    > selfsigned one with CA fields "off" of false.
    > Said in other words: the second cert is the result or output of a CSR
    > (certificate signing request) signed by the CA cert.
    >
    > Thunderbird accepts PEM format, so you don't need the DER transformation.
    >
    > The above outputs are part of "openssl x509 -in anycert.pem -text"
    >
    >
    >
    > David Hlacik wrote:
    > >
    > > Hello,
    > >
    > > i have working nnrpd with SSL configuration. I am using my custom
    > > generated
    > > SSL certificate signed with my own Certification Authority. Each time i

    > am
    > > accessing news in Windows Mail client i am getting message , that
    > > certificate is not trusted and cannot be verified.
    > > I want to get rid off this message by importing my custom CA (or probably
    > > custom certificate) into windows certification storage and make it

    > trusted
    > > so i will not get this message again.
    > >
    > > So far, i have converted my cacert.pem to der format using :
    > > openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der
    > >
    > > Then, i have converted my nnrpd certificate to pk12 format using:
    > > openssl pkcs12 -export -clcerts -in nnrpd.cert.pem -inkey nnrpd.key.pem
    > > -out
    > > clcert.p12
    > >
    > > Then i have by clicking on cacert.der and following tutorial installed CA
    > > certificate into Windows Vista. In second step by clicking on clcert.p12

    > i
    > > have installed client certificate.
    > > But so far, it is not working and i am allways getting message about not
    > > trusted certificate.
    > >
    > > Can someone help me please, or point me to solution?
    > >
    > > Thanks in advance!
    > >
    > > Regards,
    > >
    > > David
    > >
    > >

    >
    > --
    > View this message in context:
    > http://www.nabble.com/using-NNTPS-%2...p18069930.html
    > Sent from the OpenSSL - User mailing list archive at Nabble.com.
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >



+ Reply to Thread