Here is a post I made to the Exim mailing list, on how to configure secure connectivty with TLS using a Microsoft Windows 2000 Certificate Authority. It’s a combination of using both an Open-Source application and an integrated Microsoft CA.
This is a bit off-topic, but I could not find much information about signing OpenSSL generated certificates with a Microsoft (Win2000 server) Certificate Authority and using these signed certificate for the TLS support in Exim 4.10. So here are the steps I followed to get a successfull result. There might be a better way, or easier one, but this has worked for me. I found myself in the situation of wanting TLS support for Exim 4.10, yet wanting to leverage the Certificate Authority in use in my company. This Certificate Authority runs on Microsoft Windows 2000 Server (SP3), and is in use for Certificate Revocation Lists (CRL) and Encrypted File System (EFS) recovery agents.I proceeded to generate an OpenSSL (0.96b) RSA key. I then moved the certificate.csr to the Microsoft CA and signed it [out of the scope of this email]. I then exported the signed certificate using the Base64 setting and with the Certification Chain (saves the information in the PKCS#7 format). Having moved the certificate.p7b back to my mail server, I used the following command to extract the information from the PKCS#7 to a temporary file and edit it to fit the parameters of a .crt fileopenssl pkcs7 -text -inform PEM -in certificate.p7b -print_certs > certificate.crt
I then edited the certificate.crt file to remove the CA’s certificate information and public key, leaving only the parts between CERTIFICATE and END CERTIFICATE. Extract of certificate.crt is below:
Version: 3 (0×2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: Email=someone@xxxxxxxxxxxxx, O=John Doe, CN=Doe CA
Not Before: Sep 9 08:57:19 2002 GMT
Not After : Sep 9 08:57:19 2004 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
One question I’m still considering, and I haven’t found on this mailing list or in some documentation, would it be possible to get EXIM to TLS encrypt outgoing SMTP connections with remote SMTP servers ? I understand that my EXIM server will not have the remote’s
TLS certificate, but does it really matter ? I think encrypting the SMTP traffic would be a nicer than having normal cleartext traffic.