Doug F. wrote:
Imap noob alert!
Most of my clients use Outlook or Outlook Express. Each time either client is opened they get the cert warning about it not being verified. Looks like this:
The server you are connected to is using a security certificate that could not be verified.
A certificate chain processed correctly, but terminated in a root certificate which is not trusted by the trust provider.
Do you want to continue using this server?
If they click yes then all is well until they shutdown and then open thier client again. I am looking at the README.SSL and I think that step #3 (I am currently running with the directions in step #2) will take care of my problem. I'm not sure tho as I cannot get this step to work: openssl req -newkey rsa:1024 -keyout bincimap.key -CA ca.pem -nodes -x509 -days 365 -out bincimap.crt
Here is my error: $ openssl req -newkey rsa:1024 -keyout bincimap.key -CA ca.pem -nodes -x509 -days 365 -out bincimap.crt unknown option -CA req [options] <infile >outfile where options are -inform arg input format - DER or PEM -outform arg output format - DER or PEM -in arg input file -out arg output file -text text form of request -pubkey output public key -noout do not output REQ -verify verify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -engine e use engine e, possibly a hardware device -subject output the request's subject -passin private key password source -key file use the private key contained in file -keyform arg key file format -keyout arg file to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) -config file request template file. -subj arg set or modify request subject -new new request. -batch do not ask anything during request generation -x509 output a x509 structure instead of a cert. req. -days number of days a certificate generated by -x509 is valid for. -set_serial serial number to use for a certificate generated by -x509. -newhdr output "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts .. specify request extension section (override value in config file) -utf8 input characters are UTF8 (default ASCII) -nameopt arg - various certificate name options -reqopt arg - various request text options
Looks like it don't understand the -CA option. So anyway is this the step that I need to do to get the warning box to go away? This is on OpenBSD if that makes any difference. Other than this everything looks like it works fine. Much love to the developers.
Thanks, Doug
There's a guide to generating and signing OpenSSL certificates at http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml. Try following the steps there; it works for me. Remember that O/OE must have the root certificate placed in the trusted store.
Good luck!
Anders
