Certificates DISASTER!!!

metroben · Oct 3, 2006

Aloha -

I am the only Mac user in my office and they just setup and Exchange
server and I am wasting hours trying to do this root certificate deal.
I put in the OWA address in my Exchange account preferences and I
imported the "root CA" certificate into the Keychain, yet it always
says that is the incorrect certificate! Please help! Mahalo!

Barry Wainwright [MVP] · Oct 3, 2006

Aloha -

I am the only Mac user in my office and they just setup and Exchange
server and I am wasting hours trying to do this root certificate deal.
I put in the OWA address in my Exchange account preferences and I
imported the "root CA" certificate into the Keychain, yet it always
says that is the incorrect certificate! Please help! Mahalo!

Hi 'MetroBen'

Unfortunately, this is one of those issues I have never been able to resolve
myself.

The good news (for me) is that as an admin of the exchange domain, I can
insist that it remains permissible to use plain text transmission, so even
though when I first connect Entourage to the server I get three
notifications that the certificate is not valid, I can still communicate,
albeit less securely.

I could point you to this page:
<http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&c
atid=&topic=19>

It didn't help resolve my problems, but it may help yours!

If it does work, please post back - I'd love to resolve the issue for myself
and then post a resolution for other users on my Entourage User's Weblog.

Chris Ridd · Oct 3, 2006

If it does work, please post back - I'd love to resolve the issue for myself
and then post a resolution for other users on my Entourage User's Weblog.

When I've had similar problems in the past, I've imported the
certificate directly into X509Anchors using the certtool program. No
more whinges from Entourage

sudo certtool i root.crt k=/System/Library/Keychains/X509Anchors
Which presumes you can massage your cert into the right format, but
that's not too hard.
Cheers,
Chris

Corentin Cras-Méneur · Oct 3, 2006

Chris Ridd said:
When I've had similar problems in the past, I've imported the
certificate directly into X509Anchors using the certtool program. No
more whinges from Entourage

sudo certtool i root.crt k=/System/Library/Keychains/X509Anchors
Which presumes you can massage your cert into the right format, but
that's not too hard.
Cheers,
Chris

If you double-clik the cert in the Finder, it *should* launch the
Keychain Access application. The thing is to select the X509 anchor as
the destination for the import then,

It *should* be fairly similar to the command line you are citing.

Corentin

Tim Murray · Oct 4, 2006

Aloha -

I am the only Mac user in my office and they just setup and Exchange
server and I am wasting hours trying to do this root certificate deal.
I put in the OWA address in my Exchange account preferences and I
imported the "root CA" certificate into the Keychain, yet it always
says that is the incorrect certificate! Please help! Mahalo!

Maybe I don't understand enough about OWA address -- how did you obtain the
root CA certificate anyway?

Chris Ridd · Oct 4, 2006

If you double-clik the cert in the Finder, it *should* launch the
Keychain Access application. The thing is to select the X509 anchor as
the destination for the import then,

It *should* be fairly similar to the command line you are citing.

I agree, but in my experience using Keychain Access for this hasn't
worked and certtool has. Maybe this all depends on the version of
Tiger; the last time I had to mess with this stuff was 10.4.early.

Cheers,

Chris

metroben · Oct 4, 2006

Aloha -

Through our admin guy.. Since in the instructions it said you needed
the root certificate.

Ben

metroben · Oct 4, 2006

Aloha -

After getting the certificate in the MS Cert Store and Keychain, and
ensuring the certificates in Keychain were "valid"... I found out that
the name on the certificate differed from the name I was putting in
Entourage > Accounts.

Under the account preferences I was using
https://webmail.yoursite.whatever/

when the certificate was issued for mail.yoursite.whatever

When I went into the account preferences and changed the FQDN to the
latter to match the certificate; it worked. You can test this out by
going to your OWA in Safari or Firefox and if you get an error about a
hostname mismatch then this is probably the reason. Seems simple, but
it took a long time to finally figure out. LOL.

Good luck!

Ben

Corentin Cras-Méneur · Oct 5, 2006

Chris Ridd said:
I agree, but in my experience using Keychain Access for this hasn't
worked and certtool has. Maybe this all depends on the version of
Tiger; the last time I had to mess with this stuff was 10.4.early.

I've used it with success in 10.4.8, but I agree, it has been buggy in
the past.

Corentin

Corentin Cras-Méneur · Oct 5, 2006

Through our admin guy.. Since in the instructions it said you needed
the root certificate.

You can connect through Safari. The browser will tell you the
certificate is unknown, but if you examine the details about the
certificate, you can import it in your Keychain from the interface
there.

Corentin

Certificates DISASTER!!!

metroben

Barry Wainwright [MVP]

Chris Ridd

Corentin Cras-Méneur

Tim Murray

Chris Ridd

metroben

metroben

Corentin Cras-Méneur

Corentin Cras-Méneur