{"id":16,"date":"2002-09-10T03:43:10","date_gmt":"2002-09-10T01:43:10","guid":{"rendered":"http:\/\/bussink.ch\/erik\/technology\/ssl-cert-request-signed-by-microsoft-ca-for-exim-410-with-tls\/"},"modified":"2018-05-23T17:59:12","modified_gmt":"2018-05-23T15:59:12","slug":"ssl-cert-request-signed-by-microsoft-ca-for-exim-410-with-tls","status":"publish","type":"post","link":"https:\/\/www.bussink.ch\/?p=16","title":{"rendered":"SSL cert request signed by Microsoft CA for Exim 4.10 with TLS"},"content":{"rendered":"<p>Here is a post I made to the Exim mailing list, on how to configure secure connectivty with TLS using a Microsoft Windows 2000 Certificate Authority. It\u2019s a combination of using both an Open-Source application and an integrated Microsoft CA.<\/p>\n<p><em>This is a bit off-topic, but I could not find much information about signing OpenSSL generated certificates with a Microsoft (Win2000 server) Certificate Authority and using these signed certificate for the TLS support in Exim 4.10. So here are the steps I followed to get a successfull result. There might be a better way, or easier one, but this has worked for me.<\/em><em> <\/em><em>I found myself in the situation of wanting TLS support for Exim 4.10, yet wanting to leverage the Certificate Authority in use in my company. This Certificate Authority runs on Microsoft Windows 2000 Server (SP3), and is in use for Certificate Revocation Lists (CRL) and Encrypted File System (EFS) recovery agents.<\/em><em>I proceeded to generate an OpenSSL (0.96b) RSA key. I then moved the certificate.csr to the Microsoft CA and signed it [out of the scope of this email]. I then exported the signed certificate using the Base64 setting and with the Certification Chain (saves the information in the PKCS#7 format). Having moved the certificate.p7b back to my mail server, I used the following command to extract the information from the PKCS#7 to a temporary file and edit it to fit the parameters of a .crt file<\/em><em>openssl pkcs7 -text -inform PEM -in certificate.p7b -print_certs &gt; certificate.crt<\/em><\/p>\n<p><em>I then edited the certificate.crt file to remove the CA\u2019s certificate information and public key, leaving only the parts between CERTIFICATE and END CERTIFICATE. Extract of certificate.crt is below:<\/em><\/p>\n<p><em>Certificate:<br \/>\nData:<br \/>\nVersion: 3 (0\u00d72)<br \/>\nSerial Number:<br \/>\n12:21:1a:14:00:00:00:00:00:05<br \/>\nSignature Algorithm: sha1WithRSAEncryption<br \/>\nIssuer: Email=someone@xxxxxxxxxxxxx, O=John Doe, CN=Doe CA<br \/>\nValidity<br \/>\nNot Before: Sep 9 08:57:19 2002 GMT<br \/>\nNot After : Sep 9 08:57:19 2004 GMT<br \/>\nSubject:<br \/>\nSubject Public Key Info:<br \/>\nPublic Key Algorithm: rsaEncryption<br \/>\nRSA Public Key: (1024 bit)<br \/>\nModulus (1024 bit):<br \/>\n07:ec:a3:9a:4f:50:9a:a1:f2:eb:f9:ef:3a:8b:44:<br \/>\n\u2026<br \/>\nhu6z5Lm8nkY=<br \/>\n\u2014\u2013END CERTIFICATE\u2014\u2013<\/em><\/p>\n<p><em>One question I\u2019m still considering, and I haven\u2019t found on this mailing list or in some documentation, would it be possible to get EXIM to TLS encrypt outgoing SMTP connections with remote SMTP servers ? I understand that my EXIM server will not have the remote\u2019s<br \/>\nTLS certificate, but does it really matter ? I think encrypting the SMTP traffic would be a nicer than having normal cleartext traffic.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is a post I made to the Exim mailing list, on how to configure secure connectivty with TLS using a Microsoft Windows 2000 Certificate Authority. It\u2019s a combination of using both an Open-Source application and an integrated Microsoft CA. This is a bit off-topic, but I could not find much information about signing OpenSSL [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,12,45,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/posts\/16"}],"collection":[{"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16"}],"version-history":[{"count":1,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":580,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=\/wp\/v2\/posts\/16\/revisions\/580"}],"wp:attachment":[{"href":"https:\/\/www.bussink.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bussink.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}