Certificate doesn't verify

Andrew J. Kopciuch akopciuch at bddf.ca
Thu Mar 5 05:43:49 CET 2009


On March 4, 2009, Paul Douglas Franklin wrote:
> I have a user who connects from on or off site using Outlook 2003.  He
> keeps getting the following message:
> "The server you are connected to is using a security certificate that
> could not be verified.  The certificate chain processed but terminated
> in a root certificate which is not trusted by the trust provider.  Do
> you want to continue using this server?"

An installation contains a self signed SSL certificate.  If you read that 
message carefully, it means exactly what it says.  In a dumbed down version : 
when Outlook is checking the certificate, it sees it is signed, but can't 
tell who signed it.

If you want to get rid of this error, you need to get your certificate 
actually signed by someone trusted.  (Big names like verisign, and thawte are 
examples).   There are many other smaller recognized providers like comodo, 
or godaddy and hundreds of others really.  Those are just 2 I have used in 
the past.

> When my Thunderbird complained, I simply told it to accept the
> certificate, and it did so.  But Outlook doesn't seem to want to
> remember that.

Yes.   Outllook does not seem to have this capability like many other email 
clients.   I think there is a way you can import the "untrusted" root 
certificate into windows, and this message would go away ... but you should 
really get your certificates signed by someone trusted anyways.

> I believe that it has to do with the name of the server vs the name on
> the certificate.  Would this be a likely cause?

No.   You would get an error talking about the name of the server not matching 
the common name on the certificate in that case.

> If so, it's my error:  I was deciding between two different names and
> just didn't enter the correct one when I created the certificate.  How
> do I ascertain the name on the certificate?  And can I create a new

openssl x509 -noout -text -in cert.pem

> certificate, or do I need to change the name of my server?  I can think
> of three places where I figure the name should match:  DNS, host name,
> and certificate.  Is this correct?
> If the non-matching names are not the problem, what would it be?

/kolab/etc/kolab/kolab_sslcert.sh 

will recreate the self signed certificate that you can use, but it is still 
untrusted.   You should get a real SSL certificate and use that.




Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20090304/ec33a92f/attachment.sig>


More information about the users mailing list