[horde] S/Mime not verified
Andreas Mauser
andreas at mauser.info
Thu May 31 16:47:05 UTC 2012
Hi Vilius,
----- Nachricht von Vilius ?umskas <vilius at lnk.lt> ---------
Datum: Thu, 31 May 2012 17:49:06 +0300
Von: Vilius ?umskas <vilius at lnk.lt>
Betreff: Re: [horde] S/Mime not verified
An: horde at lists.horde.org
>> >>>>>> To "verify" the certifcate you need a matching trusted root-CA
>> >>>>>> and all sub-CAs involved to verify the whole chain. I guess you
>> >>>>>> either don't have the root-CA on your system of Horde is not
>> >>>>>> able to access the path with root-CAs.
>> >>>>>
>> >>>>> Thank you for the information.
>> >>>>>
>> >>>>> In my vHost I have:
>> >>>>>
>> >>>>> SSLEngine On
>> >>>>> #SSLCertificateKeyFile /root/certscreate/psw2008.key
>> >>>>> SSLCACertificateFile /etc/httpd/conf.d/certificates/cabundle.crt
>> >>>>> SSLCertificateKeyFile /etc/httpd/conf.d/certificates/mauser.info.key
>> >>>>> SSLCertificateFile /etc/httpd/conf.d//certificates/mauser.info.crt
>> >>>>>
>> >>>>>
>> >>>>> Is this the right thing at the right place?
>> >>>>> And if so, are there any rights I have to give this vHost or
>> >>>>> something else?
>> >>>>
>> >>>>
>> >>>> No, this is for the webserver's ssl support.
>> >>>>
>> >>>> Make sure you have configured OpenSSL support in horde's config.
>> >>>> Specifically, the location of the root certificates bundle.
>> >>>
>> >>> If a directory is specified, then it must be a correctly formed
>> >>> hashed directory as the openssl command would use.
>> >>>
>> >>> Since /etc/ssl/certs is a directory, what does it mean 'it must be
>> >>> a correctly formed hashed directory' ?
>> >>
>> >> Just use full path of the CA bundle instead of directory.
>> >
>> > Using '/etc/pki/tls/certs/ca-bundle.crt' and restarting the
>> > webserver and relogin did not help.
>>
>> Still got not all right ^^
>>
>> As I got a CACert S/MIME Mail right now which cannot be verified I
>> downloaded the class3.crt from cacert.org and saved it in
>> /etc/ssl/certs but it did not help.
>>
>> Isn't it so that I just have to save certs I need in /etc/ssl/certs to
>> have Horde grab it?
>>
>> In Horde I switched back and set it to /etc/ssl/certs which works OK
>> now for all other S/MIME mails.
>>
>> Any idea for that one? :)
>
> Basically what you need to do is add all CAs of your certificates to
> the CA bundle. There are two ways of doing so:
>
> 1)
> http://www.hordgroup.com/tech_resources/2010/12/add-internal-root-ca-to-centos.html and then specify a full path to that
> *file*.
>
> 2) You can add CA certificates to the same folder and then hash the
> directory. And then specify a full path to that *directory*. You can
> find more about what 'hash the directory' means in the OpenSSL
> documentation.
Thank you, I got that and its working fine.
I am still missing one certificate which I still searching for, its
the Verisign class1-3 which does not work at the moment but as soon as
I find the .crt files I will put them in and hash them also.
Grazie :)
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5014 bytes
Desc: S/MIME Signatur
URL: <http://lists.horde.org/archives/horde/attachments/20120531/08fa9938/attachment-0001.bin>
More information about the horde
mailing list