P
Pete Shaw
I wanted to wait till after SP2 (thankyou to the Microsoft BU for the
other improvements to Entourage )was released to see if there was any
change in behaviour - as the symptoms below affect both SP1 & SP2 of
Office 2004 - I have reviewed all the postings I could see but none of
the info has solved the problem for me.
--
I have been wrestling with getting some certs to work properly in our
Exchange DEV environment,
We have servername.region.dev.domain.tld cert, referencing an
intermediate authority referencing the root CA cert. (Just for back
ground we have our own CA, various intermediates authorities and every
staff member has a personal cert).
I am having certificate errors despite having the appropriate
intermediate cert (in Microsoft_Intermediate_Certificates) & root cert
being in the x509 anchors (with flags set to always trust)? I can
connect and communicate over SSL but I am trying to negate the 'unable
to establish a secure connection to server.xx.xxx.tld beacuse the
correct root certificate is not installed' messages. All certs show as
valid.
I can connect to the same server through OWA with no errors and to
other web based resources that require a personal cert (signed by the
same intermediate CA as the server cert). However If I connect through
Entourage I still get unable to verify root dialog (even though it will
connect and send/receive through SSL fine). (Note I am using FQDN in
every instance)
If I :
sudo openssl s_client -connect servername.region.dev.domain.tld:443
-CApath ~/Desktop/certs
it works fine (as long as I rehash the certs folder after copying
intermediate and root to that location), If I don't specify the -CApath
I can connect but get 'depth=1 /O=rootCA.com/OU=intermediateCA3verify
error:num=20:unable to get local issuer certificate' - I'm presuming
that OpenSSL isn't keychain aware and that is normal behaviour.
I also have tried installing the certs (anchors and intermediate etc.)
and even tried adding through the Microsoft cert manager using the root
cert installation procedure at:
http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&catid=&topic=19
& also http://support.microsoft.com/default.aspx?scid=kb;en-us;887413
Also installing through different cert formats (our CA provides pem,
cacert, & der) + converting certs to different formats by
importing/exporting through keychain but to no joy. Aslo trying
installing as a local admin & root (just in case).
I'm on OS X 10.4.2 using Entourage 2004 (latest patches) to Exchange
2003 & have also used the keychain certificate assistant which I can
get to show everything as valid. All certs have a valid status in the
keychain cert viewer, and making sure i don't have duplicates when I
have been trying different combinations.
The other relevant info is that this is an OWA frontend server - I am
in the process of sorting a cert for the backend server to try that
although was not expecting to need this (As the webbrowser doesn't).
The other things I wanted to note is when we exported the server cert
from the 2003 box (to a pfx (as per machelpdesk instructions) is that
when importing the private key's name appears to be the key (where as
other private keys name are more descriptive (i.e. Petes rootCA.com
Private key) with the key hidden - I was not sure is this should be
expected behaviour.
Any ideas?
cheers
Pete
other improvements to Entourage )was released to see if there was any
change in behaviour - as the symptoms below affect both SP1 & SP2 of
Office 2004 - I have reviewed all the postings I could see but none of
the info has solved the problem for me.
--
I have been wrestling with getting some certs to work properly in our
Exchange DEV environment,
We have servername.region.dev.domain.tld cert, referencing an
intermediate authority referencing the root CA cert. (Just for back
ground we have our own CA, various intermediates authorities and every
staff member has a personal cert).
I am having certificate errors despite having the appropriate
intermediate cert (in Microsoft_Intermediate_Certificates) & root cert
being in the x509 anchors (with flags set to always trust)? I can
connect and communicate over SSL but I am trying to negate the 'unable
to establish a secure connection to server.xx.xxx.tld beacuse the
correct root certificate is not installed' messages. All certs show as
valid.
I can connect to the same server through OWA with no errors and to
other web based resources that require a personal cert (signed by the
same intermediate CA as the server cert). However If I connect through
Entourage I still get unable to verify root dialog (even though it will
connect and send/receive through SSL fine). (Note I am using FQDN in
every instance)
If I :
sudo openssl s_client -connect servername.region.dev.domain.tld:443
-CApath ~/Desktop/certs
it works fine (as long as I rehash the certs folder after copying
intermediate and root to that location), If I don't specify the -CApath
I can connect but get 'depth=1 /O=rootCA.com/OU=intermediateCA3verify
error:num=20:unable to get local issuer certificate' - I'm presuming
that OpenSSL isn't keychain aware and that is normal behaviour.
I also have tried installing the certs (anchors and intermediate etc.)
and even tried adding through the Microsoft cert manager using the root
cert installation procedure at:
http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&catid=&topic=19
& also http://support.microsoft.com/default.aspx?scid=kb;en-us;887413
Also installing through different cert formats (our CA provides pem,
cacert, & der) + converting certs to different formats by
importing/exporting through keychain but to no joy. Aslo trying
installing as a local admin & root (just in case).
I'm on OS X 10.4.2 using Entourage 2004 (latest patches) to Exchange
2003 & have also used the keychain certificate assistant which I can
get to show everything as valid. All certs have a valid status in the
keychain cert viewer, and making sure i don't have duplicates when I
have been trying different combinations.
The other relevant info is that this is an OWA frontend server - I am
in the process of sorting a cert for the backend server to try that
although was not expecting to need this (As the webbrowser doesn't).
The other things I wanted to note is when we exported the server cert
from the 2003 box (to a pfx (as per machelpdesk instructions) is that
when importing the private key's name appears to be the key (where as
other private keys name are more descriptive (i.e. Petes rootCA.com
Private key) with the key hidden - I was not sure is this should be
expected behaviour.
Any ideas?
cheers
Pete