Root Certificate for Exchange

R

Renda, Michael

I'm running Entourage 2004 on Mac OS X 10.3.8, communicating with Exchange
2003 on Windows Server 2003.

I'm getting a message when I start up Entourage that it can't establish a
secure link with my server because the root certificate is not installed.

I actually have two server certificates on that server. One certificate
comes from my internal CA. I use that one for internal security on my
network - VPN clients, etc. I generated a root certificate from my internal
CA and installed it on the Mac according to the instructions I found in the
KB.

The other is a public certificate that I got from Geotrust. I use that on
my web server for SSL access from the public.

My question is which root certificate is Entourage asking for? The internal
one on my network or the one I use for SSL access on my web server?

I would have thought that Mac would recognize Geotrust as a trusted CA - I
think they are a subsidiary of Verisign.

The other potential issue is the host name that the public certificate is
issued in. My Geotrust certificate is for 'www'. However, my Exchange
server is configured with the internal name for the server - 'FS1'. Is this
going to cause a problem with Entourage?
 
C

Corentin Cras-Méneur

Hi Michael,
My question is which root certificate is Entourage asking for? The internal
one on my network or the one I use for SSL access on my web server?
Click to expand...

I would suspect the second one since Entourage actually accesses the
webmail server for Exchange.

The other potential issue is the host name that the public certificate is
issued in. My Geotrust certificate is for 'www'. However, my Exchange
server is configured with the internal name for the server - 'FS1'. Is this
going to cause a problem with Entourage?
Click to expand...


I really don't know :-(

Corentin
 
C

Chris Ridd

I'm running Entourage 2004 on Mac OS X 10.3.8, communicating with Exchange
2003 on Windows Server 2003.

I'm getting a message when I start up Entourage that it can't establish a
secure link with my server because the root certificate is not installed.

I actually have two server certificates on that server. One certificate
comes from my internal CA. I use that one for internal security on my
network - VPN clients, etc. I generated a root certificate from my internal
CA and installed it on the Mac according to the instructions I found in the
KB.

The other is a public certificate that I got from Geotrust. I use that on
my web server for SSL access from the public.

My question is which root certificate is Entourage asking for? The internal
one on my network or the one I use for SSL access on my web server?
Click to expand...

Good question. If the protocol used to talk to the mail server is something
directly on top of SSL, you could use an OpenSSL test client to print out
the certificate chain from the server:

openssl s_client -connect server:port -debug -verify none

eg:

openssl s_client -connect mail.mac.com:993 -debug -verify none

(port 993 is IMAP over SSL.) Press Control-C to kill the connection once it
is established.

Look for "Certificate chain" in the output, and the issuer of the last one
in the chain will usually be the CA.
I would have thought that Mac would recognize Geotrust as a trusted CA - I
think they are a subsidiary of Verisign.
Click to expand...

The list of trusted CA certificates is in
/System/Library/Keychains/X509Anchors, which you can open in Keychain
Access.app.
The other potential issue is the host name that the public certificate is
issued in. My Geotrust certificate is for 'www'. However, my Exchange
server is configured with the internal name for the server - 'FS1'. Is this
going to cause a problem with Entourage?
Click to expand...

All that's important is (I think) the hostname you use to refer to the mail
server. It must match the subject name in the certificate (or the
subjectAltname).

Cheers,

Chris
 
Top