Certificates

If you are running a corporate site or private site and getting certificate warnings on eTask, the iPhone mail app, or Safari you may wish to consider creating a self signed certificate that you can install in your iPhone to "trust" your site.

Traditionally corporations pay a third party, like Verisign, a fee to certify that they are who they say they are so the general public is assured their site is safe. The process is implemented with a certificate that is digitally "signed" by a trusted or Root authority (Verisign). When you use a browser, mail app, or other application to access the site it is presented with the site's certificate. Your browser then sees that it is signed by Verisign. The browser then looks in your computers local "key-chain" to see if Verisign is a trusted Root certificate authority. It is so you then browse the site with no warnings or worries.

If you are running your own site with a default or unsigned certificate you will probably be presented with a warning to either trust the site or exit. Some browsers, like Firefox, allow you to view the certificate information and optionally accept temporarily or permanently.

In the case of the iPhone you may find that you are continually prompted with these warnings. One way to prevent these warnings is to create a self-signed certificate and then install the Root certificate on the iPhone so it recognizes your certificate as coming from a trusted site.

The following steps were compiled from actual experience setting up a Kerio Mail Server (KMS) for personal use as well as helping others for small corporate use. I cannot vouch for their effectiveness with other servers but it may be a good starting point.

First an overview of the process:

1. Using openssl create a self signed root Certificate Authority (CA).

2. Using the self signed root CA create a certificate for the domain you use with Kerio. This is the domain you use to navigate to the site, not the mail domain.

3. Install this new certificate into KMS. Do not use the built in mechanism to request a certificate. That is for getting one from one of the trusted CA's (e.g Verisign).

4. e-mail your root CA to yourself as an attachment. It requires a crt extension. I recommend you do this while you are connected to a LAN local to your KMS, then delete the e-mail and empty your trash so this cert isn't floating around the internet.

5. On the iPhone click on this attachment. The iPhone will give you lots of warnings (are you sure?, are you really sure? etc.). Once you accept these a new "profile" will appear on the iPhone.

Now when using Active Sync, the web-interface or eTask all in secure mode the iPhone will see your web site certificate and follow the key chain, see your "trusted" self signed root certificate and authenticate properly.

By the way this root certificate can also be used for IE on Vista. You install this root certificate in the certificate manager on Vista and IE will stop warning you as well.

The details of these steps get pretty complicated. The hardest part is getting the openssl config file setup properly. I have included the text for a couple of bat files for use on windows and the OpenSSL config file. You will have to edit these but it shouldn't be to bad. If you are using one of the UNIX flavors (mac, Linux, Solaris etc.) please e-mail me and I can provide some c-shell scripts. These will take more editing since I didn't use them specifically for Kerio.

1. If you haven't done so already, install OpenSSL. You can find it at OpenSSL.org for almost any OS.

2. Open a DOS (cmd) window and crate a directory called SSL_Dev somewhere on your file system.

3. Copy the following DOS bat file scripts into two files genRootCA.bat and genCert.bat in the SSL_Dev directory. Only copy the code between the #### lines.

#### genRootCA.bat #################

rem @echo off

set SSL_DATA=.\ssl

set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e

%SSL_HOME%\bin\openssl req -new -x509 -extensions v3_ca -keyout %SSL_DATA%\private\cakey.key -out %SSL_DATA%\cacert.crt -days 3650 -config %SSL_DATA%\openssl.cnf

###################################

#### genCert.bat ####################

@echo off

set SSL_DATA=.\ssl

set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e

%SSL_HOME%\bin\openssl req -new -nodes -out %SSL_DATA%\CERTreq.pem -keyout %SSL_DATA%\private\CERTkey.key -config %SSL_DATA%\openssl.cnf

%SSL_HOME%\bin\openssl ca -out %SSL_DATA%\CERTcert.crt -config %SSL_DATA%\openssl.cnf -infiles %SSL_DATA%\CERTreq.pem

###################################

4. Edit both files to adjust the path to OpenSSL

5. Create a directory called ssl. Go to this directory.

6. Copy the text between the #### lines into a file called openssl.cnf.

#### openssl.cnf #####################

dir = /users/USER/SSL_Dev/ssl

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial

database = $dir/index.txt

new_certs_dir = $dir/certs

certificate = $dir/cacert.crt

private_key = $dir/private/cakey.key

default_days = 3650

default_md = md5

preserve = no

emil_in_dn = no

name_opt = ca_default

cert_opt = ca_default

policy = policy_match

unique_subject = no

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

default_bits = 1024

default_keyfile = cakey.key

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = STATE

localityName = Locality Name (eg, city)

localityName_default = CITY

0.organizationName = Organization Name (eg, company)

0.organizationName_default = COMPANY

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Home

commonName = Common Name (eg, YOUR name)

commonName_default = URL.com

commonName_max = 64

emailAddress = Email Address

emailAddress_default = admin@mailsite.com

emailAddress_max = 64

[ usr_cert ]

basicConstraints=CA:FALSE

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

[ v3_ca ]

basicConstraints = CA:true

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier=hash

############################################

7. Edit openssl.cnf as follows:

Change the first line (the one that starts with dir) so the path to openssl is correct. Note use / to separate paths (even on DOS).

If your country is not the US then change US to your country.

Change STATE to your state (e.g. Texas)

Change CITY to your city

Change COMPANY to your company

Change URL.com to your domain. Do not put www or mail in front. This will come later. Just put your registered domain name.

Change admin@mailsite.com to your administrators e-mail address

8. Create two more directories here, private and certs

9. Create a text file called index.txt and copy the number 100000 into the first line. Copy this file to one called serial

Your files should now look like:

File <path>/SSL_Dev/genRootCA.bat

File <path>/SSL_Dev/genCert.bat

Dir <path>/SSL_Dev/ssl

Dir <path>/SSL_Dev/ssl/certs

File <path>/SSL_Dev/ssl/openssl.cnf

Dir <path>/SSL_Dev/ssl/private

File <path>/SSL_Dev/ssl/serial

File <path>/SSL_Dev/ssl/index.txt

10. Run the genRootCA.bat first. You should be able to accept the default for all prompts.

11. Run the genCert.bat next. VERY important: When prompted for the Common Name use the full URL to your web or mail server web-interface. For example if you site is site.com and your web-mail URL is https://webmail.site.com then use webmail.site.com

12. The root certificate will be called cacert.crt and the self-signed certificate will be called CERTcert.crt. Both located in the <path>/SSL_Dev/ssl directory

13. Go to the Kerio admin console and install the CERTcert.crt certificate (Configuration->SSL Certificates).

11. E-mail (on a closed network) the cacert.crt file to yourself. Open this on the iPhone and double click the attachment. you will get lots of warnings. Accept them all. You may have to reboot the iPhone.

Good Luck

Dean

DFAworks