ot: accepting self certs into win pc?
few month ago, I've got a new Dovecot/Postfix server with self issued certificate (like the previous server), transferred users, all went well
EXCEPT for one user on Win/Outlook (or Outlook Express) who tells me his new PC 'doesn't want to accept certificate' (sorry, I'm short on exact details at this time)
I need to get it sorted out, I expect it 'should just work' like it did for other users, BUT, before I start looking, trying to 'educate myself' better
if any one has any pointers, dos or don't regarding win email clients with self certified server, pls point me that way
is using IE with www.dom.com/mycert.crt good point to start ? (after copying mycer.crt to web linked directory first?)
thanks, V
On 10/06/2014 01:48, voytek@sbt.net.au wrote:
few month ago, I've got a new Dovecot/Postfix server with self issued certificate (like the previous server), transferred users, all went well
EXCEPT for one user on Win/Outlook (or Outlook Express) who tells me his new PC 'doesn't want to accept certificate' (sorry, I'm short on exact details at this time)
I need to get it sorted out, I expect it 'should just work' like it did for other users, BUT, before I start looking, trying to 'educate myself' better
if any one has any pointers, dos or don't regarding win email clients with self certified server, pls point me that way
is using IE withwww.dom.com/mycert.crt good point to start ? (after copying mycer.crt to web linked directory first?)
thanks, V
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
Regards, Frank.
On Tue, June 10, 2014 11:10 am, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once: http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explor er-9-and-how-to-stop-them/ I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
Frank,
thanks for the link, very helpful !!
however, I'm not sure I get this:
"The trick is to run Internet Explorer as Administrator (not just when logged in as Administrator). "
so, I need to log in as Administrator, and, then, what else ?
On 11 June 2014 9:44:43 am AEST, voytek@sbt.net.au wrote:
"The trick is to run Internet Explorer as Administrator (not just when logged in as Administrator). "
so, I need to log in as Administrator, and, then, what else ?
please disregard, found it
-- Sent from Kaiten Mail. Please excuse my brevity.
Hi Frank, list,
On 6/10/2014 3:10, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
Is it just me who cannot import self-signed certificates into microsoft products anymore?
MJ
Apologies. I noticed only now that the certificate was issued for the real servername, and I'm using a dns alias to connect.
Sorry.
On 6/11/2014 10:56, mourik jan heupink - merit wrote:
Hi Frank, list,
On 6/10/2014 3:10, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
Is it just me who cannot import self-signed certificates into microsoft products anymore?
MJ
On 11/06/2014 10:00, mourik jan heupink - merit wrote:
Apologies. I noticed only now that the certificate was issued for the real servername, and I'm using a dns alias to connect.
Sorry.
On 6/11/2014 10:56, mourik jan heupink - merit wrote:
Hi Frank, list,
On 6/10/2014 3:10, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
Is it just me who cannot import self-signed certificates into microsoft products anymore?
MJ
There is an option to fiddle (mentioned in the blog) to tell SOME MS software to ignore name mismatches. Make a wish and try it :-)
Hi Frank, list,
There is an option to fiddle (mentioned in the blog) to tell SOME MS software to ignore name mismatches. Make a wish and try it :-)
True, but:
Unfortunately it’s either on or off; you can’t set it to ignore a mis-match for particular names only. Because of the risk that someone might be impersonating your bank, you’d probably be best to leave this one checked and put up with the red warnings.
So I think I'll just regenerate my certificate to match the hostname alias we use, instead of the actual hostname.
Anyway: your blog is appreciated, thank you! :-)
Am 11.06.2014 10:56, schrieb mourik jan heupink - merit:
On 6/10/2014 3:10, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
Is it just me who cannot import self-signed certificates into microsoft products anymore?
seriously you need to setup a webserver using the same certificate and point MSIE to that server, you can import then the certificate and Outlook is using the same trust-store
On 11/06/2014 09:56, mourik jan heupink - merit wrote:
Hi Frank, list,
On 6/10/2014 3:10, Frank Leonhardt wrote:
I get endless grief over this, but if you think Microsoft is bad, try Apple. I wrote some notes on it once:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-explorer-...
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
Is it just me who cannot import self-signed certificates into microsoft products anymore?
MJ
I did say it was a PITA and I did say it was using IE9! It's only a place to start.
Another method that *has* worked is to download the certificate as a file ending in .cer. Open in and it'll give you the option to install it. As the blog says, I always install certificates in the place where they can be used for absolutely everything!
You can convert a .pem to .cer, which is actually PKCS#12/PFX, using something like:
openssl pkcs12 -inkey my_key.pem -in my_cert.cert -export -out my_pfx.cer
I'm not guaranteeing this, and I could even be talking complete rubbish. I know enough about this stuff to know that I don't understand it fully, but I do know what's worked by pure dumb luck in the past!
Regards, Frank.
On Wed, June 11, 2014 6:56 pm, mourik jan heupink - merit wrote:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-expl orer-9-and-how-to-stop-them/
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
eezy, peezy, thanks!!
the secret ingridient was 'run as the wind', oops, 'run as admin'
invoked IE as admin, called https:/webmail, accept, bingo Outlook no longer asking, done
thanks, Frank, thanks, guys'n'galls
Am 24.06.2014 15:29, schrieb voytek@sbt.net.au:
On Wed, June 11, 2014 6:56 pm, mourik jan heupink - merit wrote:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-expl orer-9-and-how-to-stop-them/
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
eezy, peezy, thanks!!
the secret ingridient was 'run as the wind', oops, 'run as admin'
invoked IE as admin, called https:/webmail, accept, bingo Outlook no longer asking, done
thanks, Frank, thanks, guys'n'galls
the point is not run it as admin the point is run https://samehostname-as-imap from MSIE
Outlook and MSIE share the same trust store Outlook is too dumb to import a certificate in recent versions MSIE allows to do so
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
Cheers!
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von voytek@sbt.net.au Gesendet: Dienstag, 24. Juni 2014 15:29 An: dovecot@dovecot.org Betreff: Re: ot: accepting self certs into win pc?
On Wed, June 11, 2014 6:56 pm, mourik jan heupink - merit wrote:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-expl orer-9-and-how-to-stop-them/
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
eezy, peezy, thanks!!
the secret ingridient was 'run as the wind', oops, 'run as admin'
invoked IE as admin, called https:/webmail, accept, bingo Outlook no longer asking, done
thanks, Frank, thanks, guys'n'galls
Am 24.06.2014 17:03, schrieb Patrick De Zordo:
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
pfff you know what testing and private systems are?
in both cases there is no reputation that will grow and if it comes to the trustable question - depending on the userbase self signed ones may be more trustable than a unconditional trusted CA somewhere from turkey..... sadly only if you remove all the corrupt CA's out of your clients
so until you asked for what usecase the certificate are your "buy some" is nonsense
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von voytek@sbt.net.au Gesendet: Dienstag, 24. Juni 2014 15:29 An: dovecot@dovecot.org Betreff: Re: ot: accepting self certs into win pc?
On Wed, June 11, 2014 6:56 pm, mourik jan heupink - merit wrote:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet-expl orer-9-and-how-to-stop-them/
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
eezy, peezy, thanks!!
the secret ingridient was 'run as the wind', oops, 'run as admin'
invoked IE as admin, called https:/webmail, accept, bingo Outlook no longer asking, done
thanks, Frank, thanks, guys'n'galls
Well, I'm reading what I see - and there is no testing system mentioned as far as I can see? Probably in an old post, some time ago?
If it is a test environment you could do what you want, that's true; but if you are just testing it would not be that big problem suppressing the certificate validity error.
Nothing else to amend from my side.
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von Reindl Harald Gesendet: Dienstag, 24. Juni 2014 17:08 An: dovecot@dovecot.org Betreff: Re: ot: accepting self certs into win pc?
Am 24.06.2014 17:03, schrieb Patrick De Zordo:
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
pfff you know what testing and private systems are?
in both cases there is no reputation that will grow and if it comes to the trustable question - depending on the userbase self signed ones may be more trustable than a unconditional trusted CA somewhere from turkey..... sadly only if you remove all the corrupt CA's out of your clients
so until you asked for what usecase the certificate are your "buy some" is nonsense
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von voytek@sbt.net.au Gesendet: Dienstag, 24. Juni 2014 15:29 An: dovecot@dovecot.org Betreff: Re: ot: accepting self certs into win pc?
On Wed, June 11, 2014 6:56 pm, mourik jan heupink - merit wrote:
http://blog.frankleonhardt.com/2012/certificate-errors-on-internet- expl orer-9-and-how-to-stop-them/
I didn't mention it in the post, but IIRC this did work for making some versions Outlook (and other Microsoft Mail things) happy at the same time.
But do the above steps work for folks here..? I've tried them (IE 11, win7, outlook 2013) but outlook keeps asking about (self signed) imaps certificates.
eezy, peezy, thanks!!
the secret ingridient was 'run as the wind', oops, 'run as admin'
invoked IE as admin, called https:/webmail, accept, bingo Outlook no longer asking, done
thanks, Frank, thanks, guys'n'galls
On Tue, 24 Jun 2014 17:03:09 +0200 Patrick De Zordo <patrick@spamreducer.eu> wrote:
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
I am sorry, but someone _has_ to say it: if anyone really thinks that a south african or US entity selling certs is the way to "grow your reputation" this alone should tell you that the whole thing is nothing but a bogus _business_. It has zero to do with security or the like. It is a _business_ and it should be obvious that you will only be lied by the corresponding entity if something bad happened (probably for years). Look at the diginotar story and _learn_.
The only way to make certs worth using again is to create a way every client can verify a self-signed certificate by some kind of dns pointer inside the questionable domain and/or the certificate.
You cannot prove the correctness of a third party entity, and that's why there is no reputation at all.
Cheers!
Yes, have a beer...
-- Regards, Stephan
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von Stephan von Krawczynski Gesendet: Dienstag, 24. Juni 2014 17:15 An: Patrick De Zordo Cc: 'Dovecot Mailing List' Betreff: Re: AW: ot: accepting self certs into win pc?
On Tue, 24 Jun 2014 17:03:09 +0200 Patrick De Zordo <patrick@spamreducer.eu> wrote:
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
I am sorry, but someone _has_ to say it: if anyone really thinks that a south african or US entity selling certs is the way to "grow your reputation" this alone should tell you that the whole thing is nothing but a bogus _business_. It has zero to do with security or the like. It is a _business_ and it should be obvious that you will only be lied by the corresponding entity if something bad happened (probably for years). Look at the diginotar story and _learn_.
[De Zordo Patrick] Basically true if using some "strange" certs providers. The cert providers proven by big software companies should be the safe way.
The only way to make certs worth using again is to create a way every client can verify a self-signed certificate by some kind of dns pointer inside the questionable domain and/or the certificate.
You cannot prove the correctness of a third party entity, and that's why there is no reputation at all.
[De Zordo Patrick] ??
Cheers!
Yes, have a beer...
[De Zordo Patrick] I will, I will..
-- Regards, Stephan
Am 24.06.2014 17:25, schrieb Patrick De Zordo:
-----Ursprüngliche Nachricht----- Von: dovecot [mailto:dovecot-bounces@dovecot.org] Im Auftrag von Stephan von Krawczynski Gesendet: Dienstag, 24. Juni 2014 17:15 An: Patrick De Zordo Cc: 'Dovecot Mailing List' Betreff: Re: AW: ot: accepting self certs into win pc?
On Tue, 24 Jun 2014 17:03:09 +0200 Patrick De Zordo <patrick@spamreducer.eu> wrote:
Don't use self signed certs! - Buy some, or use free services! Your reputation will grow!
I am sorry, but someone _has_ to say it: if anyone really thinks that a south african or US entity selling certs is the way to "grow your reputation" this alone should tell you that the whole thing is nothing but a bogus _business_. It has zero to do with security or the like. It is a _business_ and it should be obvious that you will only be lied by the corresponding entity if something bad happened (probably for years). Look at the diginotar story and _learn_.
[De Zordo Patrick] Basically true if using some "strange" certs providers. The cert providers proven by big software companies should be the safe way
please stop to prove that you have no clue how certs are working
it does not matter who signed *your* cert the problem is that any client trust *thousands* of CA's *any* of them can sign to anybody a cert preteding he is you you can't do anything against that
if someone gets a certificate for yourdomain.tld and manages the client to connect to his server instead yours you have no way to take notice, the user have no way to notice and the game is over
participants (7)
-
Frank Leonhardt
-
mourik jan heupink - merit
-
Patrick De Zordo
-
Reindl Harald
-
Stephan von Krawczynski
-
Voytek
-
voytek@sbt.net.au