Elwing’s Weblog
Elwing’s rantings and ravings
  • About Me
  • S/MIME Plugin

  • What I'm Doing...

    • Getting ready to head overseas again 20 hrs ago
    • waiting to be let back into WoW - queue started at 277, down to 92. Brian is going to play with me later! (different server) 3 days ago
    • inanimate things that look like they're breathing is my particular hallucination from the chloroquine - kinda interesting 3 days ago
    • More updates...

    Powered by Twitter Tools.

  • Past Posts

    February 2005
    S M T W T F S
    « Jan   Mar »
     12345
    6789101112
    13141516171819
    20212223242526
    2728  
Microsoft CA and Thunderbird
Author: elwing
• Monday, February 14th, 2005

Some of you know my uh.. dislike for Microsoft products, and unfortunately, our (OpenSSL) CA at work expired, and since we’re helping clients use MS CA 2003, we figured our new CA would be an MS CA. Other than the major hassles my boss went through to install and configure it. Granted - once it’s installed and initially configured, it’s easier to create certificate templates than in OpenSSL. We also decided on separate signature and encryption certs - not a problem, in fact pretty standard. The only problem here was that signature certs are forcefully imported into CAPI and marked as non-exportable - big problem when you want to use Firefox/Thunderbird (unless someone’s come up with a PKCS #11 interface for CAPI - if so, I want to know about it).

I managed to figure out a sucessful way of getting an exportable certificate. Granted, this might not work on all MS CA’s, because you might not have the option of submitting an advanced request, but we pretty much have the default settings other than our certificate template, and it worked for me.

This requires access to OpenSSL of some sort and (unfortunately) a windows machine with IE. I happened to use Cygwin’s OpenSSL since it’s on my workstation and easy access to IE and Thunderbird. The IE requirement may be specific to our configuration - we’re set up with NTLM authentication for the CA to immediately issue us certificates - YMMV.

First generate your private key and request in OpenSSL:

openssl req -new -keyout mykey.key -out myrequest.csr -days 1825

Browse to the CA’s interface, instead of choosing to “create and submit a request”, choose:
“Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
This will let you cut and paste or browse to a file to include. Insert the myrequest.csr file we created with openssl earlier. Choose the other options as appropriate to your situation.

Once the CA has issued your cert, you need to download it in Base 64 format. You might want to also download it as DER format to import into CAPI if you need it - caution, the default filename is certnew.cer for both.

Copy (or Save) the Base 64 file into the same directory as your .key file. Now we create the PKCS #12 file (.p12) which you can use to import the key into most programs which will need it - like Firefox and Thunderbird.:

openssl pkcs12 -export -inkey mykey.key -in certificate file from CA -out mycert.p12

You now have an exportable key and certificate. Keep in mind though that this isn’t the best idea sometimes. There’s a reason the certificate is marked as unexportable and keep that in mind before you override that security willy-nilly.

WARNING: the p12 file you created has your private key in it - guard it as you would your private key!

Category: Technology
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Possibly Related

  • Using OpenSSL to put a Microsoft UPN in a certificate
  • Cyrus IMAP and certificates
  • New Server Certificates

Comments are closed.

« Firefox and IDN Update
SHA-1 “Broken” »
Subscribe RSS © 2009 Elwing’s Weblog
Free Wordpress Theme by TemplateLite.com | Coded by Web Hosting Refer
This blog is protected by dr Dave's Spam Karma 2: 7337 Spams eaten and counting...