Root Certificates and Entourage

[lettermail]

I have followed the directions for installing a root certificate using
the Keychain Access application as per entourage's instructions.

The instructions also say that if using a self signed certificate (as
we are) we may need to install other root certificates to verify
certificates issued by a non-standard CA.

What are they talking about? What else do we need to install?

it is very annoying to have the pop-up window appear 5 times every
login.

thanks,
jg

 

[Diane Ross]

I have followed the directions for installing a root certificate using
the Keychain Access application as per entourage's instructions.

The instructions also say that if using a self signed certificate (as
we are) we may need to install other root certificates to verify
certificates issued by a non-standard CA.

What are they talking about? What else do we need to install?

it is very annoying to have the pop-up window appear 5 times every
login.

See this guide for help:

<http://www.entourage.mvps.org/smime/index.html>

--
Diane Ross, Microsoft Mac MVP
Entourage Help Page
<http://www.entourage.mvps.org/>
One of the top five MS Entourage resources listed on the Entourage Blog.
<http://blogs.msdn.com/entourage/>

 

[lettermail]

See this guide for help:

<http://www.entourage.mvps.org/smime/index.html>

My apologies, I should have been more specific. That article appears
to be about security errors with messages.

The error box / prompt I get says:

Unable to establish a secure connection to my_server_here because the
correct root certificate is not installed.

As mentioned, the root certificate was provided by my IT department,
so it is internally generated from our Windows system for work with
our Exchange server.

I am running OS X 10.3.9 and Ent 11.3.3 (I have applied the office
11.3.4 patch though)

thanks again,
jg

 

[Corentin Cras-Méneur]

As mentioned, the root certificate was provided by my IT department,
so it is internally generated from our Windows system for work with
our Exchange server.

I am running OS X 10.3.9 and Ent 11.3.3 (I have applied the office
11.3.4 patch though)

I fyou double-click the certificate, the Keychain Utility application
should come u (at least ot does in Tiger) and offer you to import the
certificate. Import it in your X509 anchors so that the certificate for
the serve can be accepted at the system level. Entourage should stop
complaining after that.


Corentin

 

[lettermail]

I fyou double-click the certificate, the Keychain Utility application
should come u (at least ot does in Tiger) and offer you to import the
certificate. Import it in your X509 anchors so that the certificate for
the serve can be accepted at the system level. Entourage should stop
complaining after that.

In keychain access, it is installed in 3 of 4 areas, but not the
system (its in login, microsoft intermediate and microsoft entity). I
tried to copy into system, but I get the error code 100013 unable to
add an item to the keychain. Now i do have admin access to this
machine and it is indeed unlocked.

very strange. Of note, there are no certificates in the system at all.

do i need to login as root?

thanks again,
jg

 

[Corentin Cras-Méneur]

In keychain access, it is installed in 3 of 4 areas, but not the
system (its in login, microsoft intermediate and microsoft entity).

It shouldn't be in the system keychain. It should be in the X509Anchors
keychain.

I
tried to copy into system, but I get the error code 100013 unable to
add an item to the keychain. Now i do have admin access to this
machine and it is indeed unlocked.

very strange. Of note, there are no certificates in the system at all.

The system keychain shouldn't have any of these certificates. THat's not
where they go. It really should be in the X509Anchors.

do i need to login as root?

You should NEVER EVER EVER log in as root. It's like driving full speed
on the insterstate on the wrong way without wearing a seat-belt. You
might survive, but it's really really not good karma.

You don't need to either. When importing the certificate (over again),
you get a dialog asking you where the certificate should be imported.
Simply chose the X509Anchors.


Corentin

 

[Jeremy Gillies]

The system keychain shouldn't have any of these certificates. THat's not

where they go. It really should be in the X509Anchors.
...
you get a dialog asking you where the certificate should be imported.
Simply chose the X509Anchors.

I just got a new copy of the root certificate.

I tried to install it in the key chain but I have no option for X509Anchors.

Thanks again,
jg

 

[Corentin Cras-Méneur]

Hi Jeremy,

I just got a new copy of the root certificate.I tried to install it
in the key chain but I have no option for X509Anchors.
Thanks again,

What do you mean by "no option for X509Anchors??

When you double-click the certificate, Keychain.app opens and presents
a dialog asking you whether you want to import the certificate. This
window has a pulldown menu where you can select where to import it to.
Do you see X509Anchors in the pull-down menu??What version of the
System are you running??


Corentin

 

[Jeremy Gillies]

Hi Corentin,

What do you mean by "no option for X509Anchors??

When you double-click the certificate, Keychain.app opens and presents
a dialog asking you whether you want to import the certificate. This
window has a pulldown menu where you can select where to import it to.
Do you see X509Anchors in the pull-down menu??What version of the
System are you running??

I get a dialogue box that prompts me to put it in either login, system,
microsoft intermediate certs or microsoft entry certs .

versions: 10.3.9 and 11.3.3 (patched to latest level)

Thanks again,
jg

 

[darron]

Hi Corentin,




I get a dialogue box that prompts me to put it in either login, system,
microsoft intermediate certs or microsoft entry certs .

versions: 10.3.9 and 11.3.3 (patched to latest level)

Thanks again,
jg

Hi,

You will need to delete the "OfficeSync Prefs" in order for Entourage
to pick up the new Cert. I have removed this irritating message from
Entourage a number of time. Let me know if you are still stcu and i
will email you a document.

 

[Jeremy Gillies]

Hi,

You will need to delete the "OfficeSync Prefs" in order for Entourage
to pick up the new Cert. I have removed this irritating message from
Entourage a number of time. Let me know if you are still stcu and i
will email you a document.

Okay, will do!

But I still don't have the option for X509Anchors (please see above). Where
should it go?

Thanks again,
jg

 

[Corentin Cras-Méneur]

I get a dialogue box that prompts me to put it in either login,
system,microsoft intermediate certs or microsoft entry certs .

versions: 10.3.9 and 11.3.3 (patched to latest level)

That's not the keychain app.... What happens if you drag the
certificate on the Keychain application icon itself??
Corentin

 

[Jeremy Gillies]

I get a dialogue box that prompts me to put it in either login,
system,microsoft intermediate certs or microsoft entry certs .

versions: 10.3.9 and 11.3.3 (patched to latest level)

That's not the keychain app.... What happens if you drag the
certificate on the Keychain application icon itself??
Corentin[/QUOTE]


The title bar in the app window says keychain. The program name says
Keychain access. This is the one in the Applications > Utilities folder.

If this is not it, what is then the Keychain application?

When I drag and drop, I get the same prompt as mentioned above.

Thanks again,
jg

 

[Corentin Cras-Méneur]

The title bar in the app window says keychain. The program name says
Keychain access. This is the one in the Applications &gt; Utilities
folder.
If this is not it, what is then the Keychain application?

What's really weird is that the categories you are mentioning are the
exact same one you'd get through the Microsoft Cert Manager
application (which can also manage certificates) and not what you
should see in the Keychain app. The Keychain should list Login, System
and X509Anchors which are also the keychains listed on the right in
the keychain app.

You can try importing in the Apple Trusted Root Certificate then, but
I clearly don;t understand the list of available kechains you are
getting :-\

Corentin

 

[Jeremy Gillies]

The title bar in the app window says keychain. The program name says

What's really weird is that the categories you are mentioning are the
exact same one you'd get through the Microsoft Cert Manager
application (which can also manage certificates) and not what you
should see in the Keychain app. The Keychain should list Login, System
and X509Anchors which are also the keychains listed on the right in
the keychain app.

You can try importing in the Apple Trusted Root Certificate then, but
I clearly don;t understand the list of available kechains you are
getting :-\

I added the two from /System/Library/Keychains as it did contain both
X509Anchors and X509Certificates. I guess for some reason they simply were
not showing up. I was able to import the certificate into X509Anchors and
see that it is there.

But I restarted entourage and got no further as I am back to that error.

Thanks again,
Jg

 

[Corentin Cras-Méneur]

I added the two from /System/Library/Keychains as it did contain both
X509Anchors and X509Certificates. I guess for some reason they simply were
not showing up. I was able to import the certificate into X509Anchors and
see that it is there.

But I restarted entourage and got no further as I am back to that error.

Try restarting the Mac then,

Corentin

 

[Jeremy Gillies]

I added the two from /System/Library/Keychains as it did contain both

Try restarting the Mac then,

Okay, I did a restart to no avail.

Went back and deleted the OfficeSync Prefs (with all office apps closed) and
restarted.

Still getting the error message.

I checked the Office Cert Manager under Apple Trusted Certs and it appears
in there too.

Puzzled.

Thanks,
Jg

 

[Corentin Cras-Méneur]

Okay, I did a restart to no avail.

Went back and deleted the OfficeSync Prefs (with all office apps
closed) and restarted.

Still getting the error message.

I checked the Office Cert Manager under Apple Trusted Certs and it
appears in there too.

Puzzled.

What really puzzles me is that you first didn't have the X509Anchors
in your keychain. I'm starting to wonder whether there is a deeper
issue in your system. I don't think it's something with Entourage
itself since all it does is look in the System resources to see if the
certificate for your server is valid.
If you now connect to your OWA server through Safari, do you get a
warning or not?? If everything is fine at the System level, then you
shouldn't get a warning anymore.
Alternatively, you can try launching the Microsoft Cert Manager that
comes with Office (/Applications/Microsoft Office
2004/Office/Microsoft Cert Manager.app) and importing the certificate
in the Apple Trusted Root Certificate Authorities from there. As far
as I know, this app is just some sort of front-end to the Keychains,
but you never know.... it might help correcting a problem on your
system
You can also launch the Keychain application and use the
command-shift-a shortcut to launch Keychain First Aid and attempt to
repair your Keychain. THere might be something fishy there :-\

Corentin

 

[Jeremy Gillies]

What really puzzles me is that you first didn't have the X509Anchors

in your keychain. I'm starting to wonder whether there is a deeper
issue in your system. I don't think it's something with Entourage
itself since all it does is look in the System resources to see if the
certificate for your server is valid.

Still got the message.

If you now connect to your OWA server through Safari, do you get a
warning or not?? If everything is fine at the System level, then you
shouldn't get a warning anymore.
Alternatively, you can try launching the Microsoft Cert Manager that
comes with Office (/Applications/Microsoft Office
2004/Office/Microsoft Cert Manager.app) and importing the certificate
in the Apple Trusted Root Certificate Authorities from there. As far
as I know, this app is just some sort of front-end to the Keychains,
but you never know.... it might help correcting a problem on your
system

It is there, still did not work.

You can also launch the Keychain application and use the
command-shift-a shortcut to launch Keychain First Aid and attempt to
repair your Keychain. THere might be something fishy there :-\

I tried that and it did not work.

I think I am resigned to just clicking "okay" 5 times a login.

Is it possible that because it is a self-sign certificate that it is not
accepted? Could the certificate be configured incorrectly?

Thanks,
jg

 

[Corentin Cras-Méneur]

Is it possible that because it is a self-sign certificate that it is
not accepted? Could the certificate be configured incorrectly?

People use self-signed certificate all the time.
I had no problem importing and using ours. That *shouldn't* be a
problem (in theory.....)

Corentin