Certificates
Enterprise Applications for the iPhoneTM
Home eTask FAQ Support Yahoo-Setup Certificates
If you are running a corporate site or private site and getting certificate warnings on eTask, the iPhone mail app, or Safari you may wish to consider creating a self signed certificate that you can install in your iPhone to "trust" your site.
Traditionally corporations pay a third party, like Verisign, a fee to certify that they are who they say they are so the general public is assured their site is safe. The process is implemented with a certificate that is digitally "signed" by a trusted or Root authority (Verisign). When you use a browser, mail app, or other application to access the site it is presented with the site's certificate. Your browser then sees that it is signed by Verisign. The browser then looks in your computers local "key-chain" to see if Verisign is a trusted Root certificate authority. It is so you then browse the site with no warnings or worries.
If you are running your own site with a default or unsigned certificate you will probably be presented with a warning to either trust the site or exit. Some browsers, like Firefox, allow you to view the certificate information and optionally accept temporarily or permanently.
In the case of the iPhone you may find that you are continually prompted with these warnings. One way to prevent these warnings is to create a self-signed certificate and then install the Root certificate on the iPhone so it recognizes your certificate as coming from a trusted site.
The following steps were compiled from actual experience setting up a Kerio Mail Server (KMS) for personal use as well as helping others for small corporate use. I cannot vouch for their effectiveness with other servers but it may be a good starting point.
First an overview of the process:
1. Using openssl create a self signed root Certificate Authority (CA).
2. Using the self signed root CA create a certificate for the domain you use with Kerio. This is the domain you use to navigate to the site, not the mail domain.
3. Install this new certificate into KMS. Do not use the built in mechanism to request a certificate. That is for getting one from one of the trusted CA's (e.g Verisign).
4. e-mail your root CA to yourself as an attachment. It requires a crt extension. I recommend you do this while you are connected to a LAN local to your KMS, then delete the e-mail and empty your trash so this cert isn't floating around the internet.
5. On the iPhone click on this attachment. The iPhone will give you lots of warnings (are you sure?, are you really sure? etc.). Once you accept these a new "profile" will appear on the iPhone.
Now when using Active Sync, the web-interface or eTask all in secure mode the iPhone will see your web site certificate and follow the key chain, see your "trusted" self signed root certificate and authenticate properly.
By the way this root certificate can also be used for IE on Vista. You install this root certificate in the certificate manager on Vista and IE will stop warning you as well.
The details of these steps get pretty complicated. The hardest part is getting the openssl config file setup properly. I have included the text for a couple of bat files for use on windows and the OpenSSL config file. You will have to edit these but it shouldn't be to bad. If you are using one of the UNIX flavors (mac, Linux, Solaris etc.) please e-mail me and I can provide some c-shell scripts. These will take more editing since I didn't use them specifically for Kerio.
1. If you haven't done so already, install OpenSSL. You can find it at OpenSSL.org for almost any OS.
2. Open a DOS (cmd) window and crate a directory called SSL_Dev somewhere on your file system.
3. Copy the following DOS bat file scripts into two files genRootCA.bat and genCert.bat in the SSL_Dev directory. Only copy the code between the #### lines.
#### genRootCA.bat #################
rem @echo off
set SSL_DATA=.\ssl
set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e
%SSL_HOME%\bin\openssl req -new -x509 -extensions v3_ca -keyout %SSL_DATA%\private\cakey.key -out %SSL_DATA%\cacert.crt -days 3650 -config %SSL_DATA%\openssl.cnf
###################################
#### genCert.bat ####################
@echo off
set SSL_DATA=.\ssl
set SSL_HOME=\users\USER\Downloads\openssl-0.9.8e
%SSL_HOME%\bin\openssl req -new -nodes -out %SSL_DATA%\CERTreq.pem -keyout %SSL_DATA%\private\CERTkey.key -config %SSL_DATA%\openssl.cnf
%SSL_HOME%\bin\openssl ca -out %SSL_DATA%\CERTcert.crt -config %SSL_DATA%\openssl.cnf -infiles %SSL_DATA%\CERTreq.pem
###################################
4. Edit both files to adjust the path to OpenSSL
5. Create a directory called ssl. Go to this directory.
6. Copy the text between the #### lines into a file called openssl.cnf.
#### openssl.cnf #####################
dir = /users/USER/SSL_Dev/ssl
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.crt
private_key = $dir/private/cakey.key
default_days = 3650
default_md = md5
preserve = no
emil_in_dn = no
name_opt = ca_default
cert_opt = ca_default
policy = policy_match
unique_subject = no
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = cakey.key
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = STATE
localityName = Locality Name (eg, city)
localityName_default = CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = COMPANY
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Home
commonName = Common Name (eg, YOUR name)
commonName_default = URL.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = admin@mailsite.com
emailAddress_max = 64
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ]
basicConstraints = CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
############################################
7. Edit openssl.cnf as follows:
Change the first line (the one that starts with dir) so the path to openssl is correct. Note use / to separate paths (even on DOS).
If your country is not the US then change US to your country.
Change STATE to your state (e.g. Texas)
Change CITY to your city
Change COMPANY to your company
Change URL.com to your domain. Do not put www or mail in front. This will come later. Just put your registered domain name.
Change admin@mailsite.com to your administrators e-mail address
8. Create two more directories here, private and certs
9. Create a text file called index.txt and copy the number 100000 into the first line. Copy this file to one called serial
Your files should now look like:
File <path>/SSL_Dev/genRootCA.bat
File <path>/SSL_Dev/genCert.bat
Dir <path>/SSL_Dev/ssl
Dir <path>/SSL_Dev/ssl/certs
File <path>/SSL_Dev/ssl/openssl.cnf
Dir <path>/SSL_Dev/ssl/private
File <path>/SSL_Dev/ssl/serial
File <path>/SSL_Dev/ssl/index.txt
10. Run the genRootCA.bat first. You should be able to accept the default for all prompts.
11. Run the genCert.bat next. VERY important: When prompted for the Common Name use the full URL to your web or mail server web-interface. For example if you site is site.com and your web-mail URL is https://webmail.site.com then use webmail.site.com
12. The root certificate will be called cacert.crt and the self-signed certificate will be called CERTcert.crt. Both located in the <path>/SSL_Dev/ssl directory
13. Go to the Kerio admin console and install the CERTcert.crt certificate (Configuration->SSL Certificates).
11. E-mail (on a closed network) the cacert.crt file to yourself. Open this on the iPhone and double click the attachment. you will get lots of warnings. Accept them all. You may have to reboot the iPhone.
Good Luck
Dean
DFAworks