C
Corentin Cras-Méneur
Hi All,
I was reading the OmniWeb Help files yesterday and found the most
interesting paragraph for certificates in the "Advanced Topics".
Some servers use self signed certificates and Entourage complains that
the certificate is unknown.
To get the cert, you can of course request it from the Administrator,
but in more than one case, the admin doesn't send the cert and people
are left out with the warning every time they try to get their mail over
SSL.
Here is what the OmniWeb Help offers as a workaround:
OmniWeb Help > Avanced Topics:
If that doesn't work, then you can ask the server itself for its
certificates. Open a Terminal window and type openssl s_client
-showcerts -connect SERVERHOSTNAME:443 (where SERVERHOSTNAME is, of
course, the server's hostname. The "443" is the normal port number for
HTTPS.) This should spit out a few pages of information, starting with
the word "CONNECTED" and ending with a line of three dashes. Hit
control-C to quit openssl.
In the middle of the output should be the certificate chain offered by
the server. There might just be one certificate, or there might be
several. The first certificate is the server's own certificate. The next
one is the certificate of whoever issued the server's certificate,
followed by whoever issued that cert, and so on until you reach the root
of authority. That last one is the one you want. Copy-and-paste it
(including the BEGIN/END lines) into a text file, ideally one whose name
ends in ".pem".
2. Put the certificate where OmniWeb will find it.
I recommend using the keychain, because then you can see (and delete)
the certificate using Keychain Access. To add a certificate (in .pem
format) to your keychain, type the following command in a terminal
window:
certtool i /path/to/pemfile
You can do this by just typing certtool i , with the trailing space, and
then dragging the .pem file's icon onto the window. Anyway, certtool
should respond "certificate successfully imported", and you can then see
the certificate in Keychain Access and it will be used by OmniWeb.
If you want to store the cert in one of the RootCerts.pem files
mentioned above, you can just move/rename the .pem file you have, or (if
the other .pem file already exists) append the new block of text to the
existing list of certs. The order of certs in a .pem file doen't matter.
Example of a certificate in .PEM format
This is the relevant snippet of the output of "openssl s_client..."
talking to my test webserver:
2 s:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy
Security/[email protected]
i:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy
Security/[email protected]
-----BEGIN CERTIFICATE-----
MIICgDCCAemgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoT
D0hISEggQXNzb2NpYXRlczEXMBUGA1UECxMORHVtbXkgU2VjdXJpdHkxHDAaBgkq
hkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcwHhcNMDMwODE4MjAxMDA3WhcNMDQwODE3
MjAxMDA3WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoTD0hISEggQXNzb2NpYXRlczEXMBUGA1UE
CxMORHVtbXkgU2VjdXJpdHkxHDAaBgkqhkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTFv4ts52lXl0aomu9/LaOfiUZx
Jdtb3BfSKkem2feD0AhAIX/1k1KLiOi6PB3aRGyXwxs5AOPxjloc/q6mpGRaJy/w
nJ/LfSG6TSsvrVY4Ksu2rTAQ9Io35PX1OUsgHDWkKOwHoAzLNgK7Q9I2lflDSPuZ
6Sk748VhDvzGSBEBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAhUnqFeO30hr7N888
NnQT/aDuJL8MoDqQkSkXUdVj+5F2m/Ssf7mqApKh/2GiXkL2cJ38XfWXi+gLFgv/
Do8cuh3h2oBxY7ylrBD9AmFHa8oRQboS4npV9GVgue/K/YtxqQOrrW2IY3Ikm6RY
ln6CdGy7bmMRr5qMuDxhlT37Cg0=
-----END CERTIFICATE-----
The certificate is the stuff from BEGIN CERTIFICATE to END CERTIFICATE
(inclusive). The two lines before it are from OpenSSL describing what
the certificate is. The s: line indicates the subject, i.e., who or what
the certificate is for. The i: line indicates the issuer, i.e., who is
vouching for the subject's authenticity. Since this is the root cert,
the two lines are the same. Subjects and issuers are described in the
X.500 format; the example here includes the country, state, city
(locality), organization, organizational sub-unit (the "Dummy Security"
department of "JJJJ Associates"), and email address
I played around with it yesterday and it worked LIKE CHARM!
Corentin
I was reading the OmniWeb Help files yesterday and found the most
interesting paragraph for certificates in the "Advanced Topics".
Some servers use self signed certificates and Entourage complains that
the certificate is unknown.
To get the cert, you can of course request it from the Administrator,
but in more than one case, the admin doesn't send the cert and people
are left out with the warning every time they try to get their mail over
SSL.
Here is what the OmniWeb Help offers as a workaround:
OmniWeb Help > Avanced Topics:
If that doesn't work, then you can ask the server itself for its
certificates. Open a Terminal window and type openssl s_client
-showcerts -connect SERVERHOSTNAME:443 (where SERVERHOSTNAME is, of
course, the server's hostname. The "443" is the normal port number for
HTTPS.) This should spit out a few pages of information, starting with
the word "CONNECTED" and ending with a line of three dashes. Hit
control-C to quit openssl.
In the middle of the output should be the certificate chain offered by
the server. There might just be one certificate, or there might be
several. The first certificate is the server's own certificate. The next
one is the certificate of whoever issued the server's certificate,
followed by whoever issued that cert, and so on until you reach the root
of authority. That last one is the one you want. Copy-and-paste it
(including the BEGIN/END lines) into a text file, ideally one whose name
ends in ".pem".
2. Put the certificate where OmniWeb will find it.
I recommend using the keychain, because then you can see (and delete)
the certificate using Keychain Access. To add a certificate (in .pem
format) to your keychain, type the following command in a terminal
window:
certtool i /path/to/pemfile
You can do this by just typing certtool i , with the trailing space, and
then dragging the .pem file's icon onto the window. Anyway, certtool
should respond "certificate successfully imported", and you can then see
the certificate in Keychain Access and it will be used by OmniWeb.
If you want to store the cert in one of the RootCerts.pem files
mentioned above, you can just move/rename the .pem file you have, or (if
the other .pem file already exists) append the new block of text to the
existing list of certs. The order of certs in a .pem file doen't matter.
Example of a certificate in .PEM format
This is the relevant snippet of the output of "openssl s_client..."
talking to my test webserver:
2 s:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy
Security/[email protected]
i:/C=US/ST=Washington/L=Seattle/O=JJJJ Associates/OU=Dummy
Security/[email protected]
-----BEGIN CERTIFICATE-----
MIICgDCCAemgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoT
D0hISEggQXNzb2NpYXRlczEXMBUGA1UECxMORHVtbXkgU2VjdXJpdHkxHDAaBgkq
hkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcwHhcNMDMwODE4MjAxMDA3WhcNMDQwODE3
MjAxMDA3WjCBhTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1NlYXR0bGUxGDAWBgNVBAoTD0hISEggQXNzb2NpYXRlczEXMBUGA1UE
CxMORHVtbXkgU2VjdXJpdHkxHDAaBgkqhkiG9w0BCQEWDXdpbWxAaGhoaC5vcmcw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALTFv4ts52lXl0aomu9/LaOfiUZx
Jdtb3BfSKkem2feD0AhAIX/1k1KLiOi6PB3aRGyXwxs5AOPxjloc/q6mpGRaJy/w
nJ/LfSG6TSsvrVY4Ksu2rTAQ9Io35PX1OUsgHDWkKOwHoAzLNgK7Q9I2lflDSPuZ
6Sk748VhDvzGSBEBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAhUnqFeO30hr7N888
NnQT/aDuJL8MoDqQkSkXUdVj+5F2m/Ssf7mqApKh/2GiXkL2cJ38XfWXi+gLFgv/
Do8cuh3h2oBxY7ylrBD9AmFHa8oRQboS4npV9GVgue/K/YtxqQOrrW2IY3Ikm6RY
ln6CdGy7bmMRr5qMuDxhlT37Cg0=
-----END CERTIFICATE-----
The certificate is the stuff from BEGIN CERTIFICATE to END CERTIFICATE
(inclusive). The two lines before it are from OpenSSL describing what
the certificate is. The s: line indicates the subject, i.e., who or what
the certificate is for. The i: line indicates the issuer, i.e., who is
vouching for the subject's authenticity. Since this is the root cert,
the two lines are the same. Subjects and issuers are described in the
X.500 format; the example here includes the country, state, city
(locality), organization, organizational sub-unit (the "Dummy Security"
department of "JJJJ Associates"), and email address
I played around with it yesterday and it worked LIKE CHARM!
Corentin