Re: Root Certificate

More specifically, the rules are that:
1) You must match the common name in the subject name <OR> you must match a
FQDN or IP address found in a subject alternative name extension.
2) If you have a critical Extended Key Usage ( 2 5 29 37 ) extension, then
it must list Server Authentication ( 1 3 6 1 5 5 7 3 1 ) as one of its
purposes.

Given that, we don't have support for comparing IP addresses in subject
alternative names. (Yet.) We also have some issues about reporting what kind
of certificate error it was.

We have a few issues with parsing some certificates and verifying these
rules that have been corrected and will be available in an upcoming release.

I highly suggest taking up the issue with your IT administrator. They should
be issuing correct certificates. They can use the "*.foo.com" syntax to be
able to match all the hosts in the foo.com domain (though not "a.b.foo.com",
for which it would need "*.*.foo.com").

-nh

On 1/20/06 12:15:56 AM, in article BFF64CBD.14C5B2%chrisridd@xxxxxxx, "Chris
Ridd" <chrisridd@xxxxxxx> wrote:

> On 19/1/06 11:40, in article BFF57F8F.69F2%kledgister@xxxxxxxxxxxx, "Kevin
> Ledgister" <kledgister@xxxxxxxxxxxx> wrote:
>
>> I've tried the Mac Help Desk instructions but I still get the same root
>> certificate is not installed issue and Entourage won't connect to Exchange.
>>
>> Our IT admin created a *.crt certificate from the Exchange server but it has
>> a host name mismatch.
>>
>> Would a host name mismatch in the certificate terminally affect Entourage to
>> connect to Exchange 2003?
>
> Using SSL *requires* that the name the client uses to contact the server
> exactly matches the name in the server's certificate.
>
> If your "IT admin" has screwed up this basic stuff, just tell Entourage to
> contact the broken name, and then hardwire this broken name in your
> /etc/hosts file.
>
> In more detail:
>
> Say you are currently talking to "exchange.example.com" and your "IT admin"
> has used the name "broken-name.microsoft.com" in the certificate.
>
> 1) Use the Lookup tab in Network Utility.app to find the IP address for
> exchange.example.com. Say it returns 1.2.3.4...
>
> 2) In Terminal.app, type:
>
> sudo -s
> echo "1.2.3.4 broken-name.microsoft.com" >> /etc/hosts
> exit
>
> 3) Restart Entourage.
>
> Cheers,
>
> Chris
>

--
Nathan Herring
MacBU SDE/Development

This posting is provided ³AS IS² with no warranties, and confers no rights.

.

Relevant Pages

  • Re: 2008; Certificate problems
    ... Have never setup a certificate, using Intermedia.net as an Exchange 2007 provider, no problem with Entourage 2004, or 2008. ... The Exchange server SSL certificates ...
    (microsoft.public.mac.office.entourage)
  • Re: Entourage 2004 and Exchange 2003: Getting rid of that Root Certificate Warning
    ... The certificate is titled SERVER.COM. ... .COM, but when I change the Exchange Server name, Entourage will re-download ...
    (microsoft.public.mac.office.entourage)
  • Re: can I ignore root certificate error?
    ... > Entourage and Exchange. ... > root certificate installed when I launch Entourage 2004? ... Clicking on it will install the details into your keychain. ...
    (microsoft.public.mac.office.entourage)
  • Re: Entourage 2004 wont collect TLS secure mail from Demon Internet (UK)
    ... > Demon Internet in the UK started offering TLS secure mail collection ... > Entourage X on Mac, but when I upgraded to Entourage 2004, I get the ... > Microsoft supplies instructions for installing root certificates and I ... > However I don't have the certificate to install for Demon Internet. ...
    (microsoft.public.mac.office.entourage)
  • UGH! Entourage 2008 and SSL Certificates
    ... I have a SBS2008 server with Exchange 2007 on it with a Godaddy certificate ... intermediate certificate and installed it into the login second and click ... Entourage bitched. ...
    (microsoft.public.mac.office.entourage)