 Enterprise Applications for the iPhoneTM Home eTask FAQ Support Yahoo-Setup Certificates If you are running a corporate site or private site and getting certificate warnings on eTask, the iPhone mail app, or Safari you may wish to consider creating a self signed certificate that you can install in your iPhone to "trust" your site. Traditionally corporations pay a third party, like Verisign, a fee to certify that they are who they say they are so the general public is assured their site is safe. The process is implemented with a certificate that is digitally "signed" by a trusted or Root authority (Verisign). When you use a browser, mail app, or other application to access the site it is presented with the site's certificate. Your browser then sees that it is signed by Verisign. The browser then looks in your computers local "key-chain" to see if Verisign is a trusted Root certificate authority. It is so you then browse the site with no warnings or worries. If you are running your own site with a default or unsigned certificate you will probably be presented with a warning to either trust the site or exit. Some browsers, like Firefox, allow you to view the certificate information and optionally accept temporarily or permanently. In the case of the iPhone you may find that you are continually prompted with these warnings. One way to prevent these warnings is to create a self-signed certificate and then install the Root certificate on the iPhone so it recognizes your certificate as coming from a trusted site. The following steps were compiled from actual experience setting up a Kerio Mail Server (KMS) for personal use as well as helping others for small corporate use. I cannot vouch for their effectiveness with other servers but it may be a good starting point. First an overview of the process: 1. Using openssl create a self signed root Certificate Authority (CA). 2. Using the self signed root CA create a certificate for the domain you use with Kerio. This is the domain you use to navigate to the site, not the mail domain. 3. Install this new certificate into KMS. Do not use the built in mechanism to request a certificate. That is for getting one from one of the trusted CA's (e.g Verisign). 4. e-mail your root CA to yourself as an attachment. It requires a crt extension. I recommend you do this while you are connected to a LAN local to your KMS, then delete the e-mail and empty your trash so this cert isn't floating around the internet. 5. On the iPhone click on this attachment. The iPhone will give you lots of warnings (are you sure?, are you really sure? etc.). Once you accept these a new "profile" will appear on the iPhone. Now when using Active Sync, the web-interface or eTask all in secure mode the iPhone will see your web site certificate and follow the key chain, see your "trusted" self signed root certificate and authenticate properly. By the way this root certificate can also be used for IE on Vista. You install this root certificate in the certificate manager on Vista and IE will stop warning you as well. The details of these steps get pretty complicated. The hardest part is getting the openssl config file setup properly. I have included the text for a couple of bat files for use on windows and the OpenSSL config file. You will have to edit these but it shouldn't be to bad. If you are using one of the UNIX flavors (mac, Linux, Solaris etc.) please e-mail me and I can provide some c-shell scripts. These will take more editing since I didn't use them specifically for Kerio. 1. If you haven't done so already, install OpenSSL. You can find it at OpenSSL.org for almost any OS. 2. Open a DOS (cmd) window and crate a directory called SSL_Dev somewhere on your file system. 3. Copy the following DOS bat file scripts into two files genRootCA.bat and genCert.bat in the SSL_Dev directory. Only copy the code between the #### lines. #### genRootCA.bat ################# rem @echo off set SSL_DATA=.\ssl set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e %SSL_HOME%\bin\openssl req -new -x509 -extensions v3_ca -keyout %SSL_DATA%\private\cakey.key -out %SSL_DATA%\cacert.crt -days 3650 -config %SSL_DATA%\openssl.cnf ################################### #### genCert.bat #################### @echo off set SSL_DATA=.\ssl set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e %SSL_HOME%\bin\openssl req -new -nodes -out %SSL_DATA%\CERTreq.pem -keyout %SSL_DATA%\private\CERTkey.key -config %SSL_DATA%\openssl.cnf %SSL_HOME%\bin\openssl ca -out %SSL_DATA%\CERTcert.crt -config %SSL_DATA%\openssl.cnf -infiles %SSL_DATA%\CERTreq.pem ################################### 4. Edit both files to adjust the path to OpenSSL 5. Create a directory called ssl. Go to this directory. 6. Copy the text between the #### lines into a file called openssl.cnf. #### openssl.cnf ##################### dir = /users/USER/SSL_Dev/ssl [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/certs certificate = $dir/cacert.crt private_key = $dir/private/cakey.key default_days = 3650 default_md = md5 preserve = no emil_in_dn = no name_opt = ca_default cert_opt = ca_default policy = policy_match unique_subject = no [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = cakey.key distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = STATE localityName = Locality Name (eg, city) localityName_default = CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = COMPANY organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Home commonName = Common Name (eg, YOUR name) commonName_default = URL.com commonName_max = 64 emailAddress = Email Address emailAddress_default = admin@mailsite.com emailAddress_max = 64 [ usr_cert ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_ca ] basicConstraints = CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier=hash ############################################ 7. Edit openssl.cnf as follows: Change the first line (the one that starts with dir) so the path to openssl is correct. Note use / to separate paths (even on DOS). If your country is not the US then change US to your country. Change STATE to your state (e.g. Texas) Change CITY to your city Change COMPANY to your company Change URL.com to your domain. Do not put www or mail in front. This will come later. Just put your registered domain name. Change admin@mailsite.com to your administrators e-mail address 8. Create two more directories here, private and certs 9. Create a text file called index.txt and copy the number 100000 into the first line. Copy this file to one called serial Your files should now look like: File <path>/SSL_Dev/genRootCA.bat File <path>/SSL_Dev/genCert.bat Dir <path>/SSL_Dev/ssl Dir <path>/SSL_Dev/ssl/certs File <path>/SSL_Dev/ssl/openssl.cnf Dir <path>/SSL_Dev/ssl/private File <path>/SSL_Dev/ssl/serial File <path>/SSL_Dev/ssl/index.txt 10. Run the genRootCA.bat first. You should be able to accept the default for all prompts. 11. Run the genCert.bat next. VERY important: When prompted for the Common Name use the full URL to your web or mail server web-interface. For example if you site is site.com and your web-mail URL is https://webmail.site.com then use webmail.site.com 12. The root certificate will be called cacert.crt and the self-signed certificate will be called CERTcert.crt. Both located in the <path>/SSL_Dev/ssl directory 13. Go to the Kerio admin console and install the CERTcert.crt certificate (Configuration->SSL Certificates). 11. E-mail (on a closed network) the cacert.crt file to yourself. Open this on the iPhone and double click the attachment. you will get lots of warnings. Accept them all. You may have to reboot the iPhone. Good Luck Dean DFAworks |