Trouble importing Exchange Certificates into Mac OS 10.3

[Gerry Simmons]

Initially, the issue was that when connecting Entourage 2004 to an Exchange
Server, it always complained that I didn't have a Root Certificate
installed. So, I read up a bit, and requested a Root Certificate for our
Exchange Server from my Admin.

We're running SBS 2003 with Exchange 2003. When I got the certificate, I
tried importing into the Keychains application using the information
provided by Entourage help. But, I got no feedback from the process, and
nothing changed in the behavior of Entourage 2004.

My Admin pointed me to an article he had found about ho to do this. It
seemed to follow the way Entourage help suggested for OS 10.2.8. It even
pointed me to a tool called CerttoolGUI for a nice UI. Both method say that
the import failed, but give no additional information.

Can anyone help?

I'm running OS 10.3.6.

-Gerry

 

[Barry Wainwright]

Initially, the issue was that when connecting Entourage 2004 to an Exchange
Server, it always complained that I didn't have a Root Certificate
installed. So, I read up a bit, and requested a Root Certificate for our
Exchange Server from my Admin.

We're running SBS 2003 with Exchange 2003. When I got the certificate, I
tried importing into the Keychains application using the information
provided by Entourage help. But, I got no feedback from the process, and
nothing changed in the behavior of Entourage 2004.

My Admin pointed me to an article he had found about ho to do this. It
seemed to follow the way Entourage help suggested for OS 10.2.8. It even
pointed me to a tool called CerttoolGUI for a nice UI. Both method say that
the import failed, but give no additional information.

Can anyone help?

I'm running OS 10.3.6.

-Gerry

Try this:

The Mac Help Desk :: Mac OS X Support, Tech Info, Opinions, & Product Info
<http://www.themachelpdesk.com/>

About half way down the page is a section headed "Working around SSL Root
Certificate Errors with Entourage 2004 and Microsoft Exchange"

 

[Corentin Cras-Méneur]

Hi Barry,

Try this:

The Mac Help Desk :: Mac OS X Support, Tech Info, Opinions, & Product Info
<http://www.themachelpdesk.com/>

About half way down the page is a section headed "Working around SSL Root
Certificate Errors with Entourage 2004 and Microsoft Exchange"

It's a good site. Unfortunately I can't do any of that here because my
web admin doesn't see the point and refuses to provide us with the root
certificate :-(

Corentin

 

[Chris Ridd]

Hi Barry,



It's a good site. Unfortunately I can't do any of that here because my
web admin doesn't see the point and refuses to provide us with the root
certificate :-(

If the server's sending the complete certificate chain, then you can grab
the certificates using OpenSSL, and copy and paste.

Type at the terminal:

openssl -connect serverort -showcerts -debug

Change server and port as appropriate.

You have to type Control-C to stop the program, and when you do scroll back
until you find the Certificate chain section. You should see a series of
lines like this:

0 s:/something/including/CN=your.server.name
i:/something/else1
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/something/else1
i:/something/else2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

Copy each set of lines starting BEGIN CERTIFICATE to END CERTIFICATE
(including those lines) into a text file, and import that into your
Keychains using the MS Cert Manager or Keychain Access. Copy the last one
into the Apple Trusted Roots...

Cheers,

Chris

 

[Corentin Cras-Méneur]

If the server's sending the complete certificate chain, then you can grab
the certificates using OpenSSL, and copy and paste.

It's unfortunately not going to happen for me. The admin didn't like the
idea that I would be playing with this and disabled SSL... Ironic isn't
it ??

Corentin

 

[Gerry Simmons]

I WAS able to install the Server Certificate in Microsoft Cert Manager, and
it shows up as valid under Intermediate Certificate Authorities. I deleted
"~/Library/Preferences/OfficeSync Prefs" like it said, and set LDAP to the
server with SSL on, and have DAV set to SSL.

No Joy. Still getting the complaint of not having a root certificate.

More clues??

-Gerry

 

[Gerry Simmons]

Another interesting point to note.

I went into OWA for our server, and Safari no longer complains about not
having a valid certificate for this server!!!

My problem may be related to convincing Entourage to use my certificate.

-Gerry

 

[Gerry Simmons]

I may have found the problem. My SysAdmin generated an X.509 (.CER)
certificate, and the instructions have you create a Personal Information
Exchange (.PFX) certificate.

I'm asking my SysAd to generate the .PFX cert.

-Gerry

 

[Paul Berkowitz]

It's unfortunately not going to happen for me. The admin didn't like the
idea that I would be playing with this and disabled SSL... Ironic isn't
it ??

You've been writing about this guy for some time now, Corentin. Maybe it's
time for you to write to someone senior to him? It's about time he got into
trouble for being so obstructive.

 

[Corentin Cras-Méneur]

You've been writing about this guy for some time now, Corentin. Maybe it's
time for you to write to someone senior to him? It's about time he got into
trouble for being so obstructive.

I tried, but there is no one senior to him I could find...


Corentin

 

[Gerry Simmons]

OK. I'm still in need of some assistance. I've been working on this problem
for 2 days now. I think I've got the Certificate thing worked out. I've
installed the Root Certificate for our server in the following Keychains:
simmons, Microsoft_Intermidiate_Certificates,
Microsoft_Entity_Certificatesm, System, AND X509Anchors.

I've confirmed their presence with the certtool command line program,
Microsoft Cert Manager, and KeyChain Access.

Safari seems to have no issue using the certificate for OWA access to our
exchange server.

HOWEVER! Entourage 2004 still insists IT'S NOT THERE!!!

What gives!!

-Gerry