Hi Martin, Thank you for providing such a great software.
I fully agree with the reasoning you provided to not import root certificates automagically into the root store - but a possibility to move a certificate from the certificate store to the root store manually (without having to download and reimport it) would facilitate the handling. regards Christian On 16/03/16 11:32, Martijn Brinkers wrote: > On 16-03-16 11:11, Matthias Henze wrote: >> Hi, >> >> Stefan asked on my behalf. The problem was the misleading GUI and >> reading the texts also helped. The first, wrong, try was to import the >> certificate with "Import certificates" where the help text reads: >> >> -------------------------------------------------------------------- >> On this page, certificates can be imported. In most cases, imported >> certificate are the certificates of external recipients or, certificates >> from trusted CAs (intermediate and root certificates). Multiple >> certificates can be imported at the same time from a pem or p7b encoded >> file. >> -------------------------------------------------------------------- >> >> If read, this implies that NO key gets imported as PKCS7 does not >> contain it. What fixes this is "Import Private Keys". And this is where >> the GIU is misleading. The help text reads: >> >> -------------------------------------------------------------------- >> On this page, private keys and their associated certificates can be >> imported. In most cases, imported keys and the associated certificates >> are for internal users only. The keys are used for S/MIME signing of >> outgoing email and for the decryption of incoming S/MIME encrypted >> email. Keys from password protected pfx or p12 files can be imported. >> -------------------------------------------------------------------- >> >> Bingo. Here PKCS12 files containing the certificate AND the key can be >> imported and not only keys. Misleading is that "Import Private Keys" >> does not only import keys but also certificates. Doing so fixed every >> thing. The imported certificate could now be used for signing: >> >> Private Key Available true >> Private Key Accessible true >> >> I suggest to allow PKCS12 in "Import certificates" also. This seems to >> me to be more consistent. All CAs I know ship their s/MIME certificates >> as PKCS12. I can't imagine any use case for importing a key for a s/MIME >> certificate separately. > > I could have named it "import keys and certificates" but this would have > been too long and misleading as well :) It's hard to come up with an > interface that everyone agrees on. I have been thinking of merging the > import keys and import certificates into one "import certificates" page. > The "problem" might be that users think they need to enter a password > when they only want to import a public key. But, I think it's a good > idea to merge the two pages into just one. > > >> IMHO "Import Private Keys" has a minor bug. My PKCS12 files also contain >> the complete certificate chain. The root and intermediate certificate >> also get imported in "Certificates" instead into "Roots" where they IMHO >> belong. I've imported the root and intermediate certificate into >> "Roots", but I'm not sure if this is necessary or correct. At least it >> was no harm. > > This is certainly no bug. It's intended behavior. You do not want the > system to automagically import root certificates without admin approval. > Since you do not know what certs are in the PKCS12 file, the gateway > cannot just import the roots into the root store. If the gateway would > have skipped roots (i.e., do not import into the certificates store) you > would not be able to import the roots into the root store later. Of > course I could have added a complicated screen which allows you to see > what you are importing etc. but this has it's own problems. Therefore > all new certs are imported into the certificates store. When I merge the > import key and import certs into one page, there will be an option which > allows you to skip importing roots. > > Kind regards, > > Martijn Brinkers > > >> Am 16.03.2016 um 09:43 schrieb Stefan Michael Guenther: >>> Hello, >>> >>> in our Ciphermail installation I have two certificates for my email >>> address: One created by StartSSL and one created by the CA of >>> Ciphermail . >>> >>> The StartSSL certificate lists as KeyUsage "keyEncipherment, >>> dataEncipherment, digitalSignature" and the local CA "keyEncipherment, >>> digitalSignature". >>> >>> But in the user profile, when I choose "S/MIME -> signing certificate" >>> the system only offers the local certificate. >>> Even in an account that only has the StartSSL certificate, this is not >>> offered for signing. >>> >>> What could be the reason for that? >>> >>> Regards, >>> >>> Stefan >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.djigzo.com/lists/listinfo/users >>> >> >> > > _______________________________________________ Users mailing list [email protected] https://lists.djigzo.com/lists/listinfo/users
