Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Adding/renewing a SSL Certificate with a Cross Certificate (How to add a cross certificate along with a SSL certificate purchased from a CA)
  •  
jbbobiak

Messages: 6

Karma: 0
Send a private message to this user
Recently I needed to update my mail server SSL certificate. I generated a request and sent it to the Certification Authority (CA), in this case Entrust. After payment to the CA I got a link to their website where my certificate was along with instructions. Everything was as I have experienced previously, with the exception of a new addition: the "Cross Certificate".


I ignored the Cross Cert (mistake) and then imported the new cert to the Kerio Connect followed by a stop then start of the mail service.

Our Kerio Connect web server then started reporting a bad certificate from the client web browsers.

I called Entrust the CA and they had me append the certificate file (*.crt) with the Cross Certificate something like this:


-----BEGIN CERTIFICATE-----
MIIEyTCCA7GgAwIBAgIESyDcjTANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UE
BhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5l
cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMDA0MDky
MDQwMzVaFw0xMjA0MjAyMTEwMzJaMHoxCzAJBgNVBAYTAlVTMREwDwYDVQQI
EwhEZWxhd2FyZTETMBEGA1UEBxMKV2lsbWluZ3RvbjEhMB8GA1UEChMYUGFy
YWdvbiBFbmdpbmVlcmluZyBDb3JwMSAwHgYDVQQDExd3ZWJtYWlsLnBhcmFn
b24tZW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPW
7cLZJ4lD5YuAszRJdq2LT6KIp/cAFNPGNORKI89SgrxWUzgGIFbgdjdDjkNp
BVToCfNRI6qumdsJLj6AmC0IWMQNzw5tIbgpqTvJVdAW4B+imIKfJg8O6Lk
d+tQ2xST6pCEzhxpq9KGIEA2C4P3LP/FC/+apwECAwEAAaOCAR0wggEZMAsG
A1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAzBgNVHR8ELDAqMCig
cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwHwYDVR0jBBgwFoAUHvGriQb4SQ8B
M3fuFHruGXyTKE0wHQYDVR0OBBYEFG3T1E8GKupsS/LPD0KVDnUA/Mi3MAkG
A1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBABRh4roW+Yu2Ug7PvzVsa0BY
YwF229QN5JqI7R6phQU7wu7DCBxFMFxQFH0h0JAW0yRYHQv/w/xN5h3OTzM5
xIKiM8ldW5mZX63UFAHhsrcfYm8WwJKzW97g2o2muN8bAsysLfqJZDLjoqla
SLixwFsSNz+/hJoaT1/PvXGQz0dT6oFnZ+/MaRIR8izI7gPOTlPeqK7QjQK2
FnRw1ELBq4YIoGQv/uutL49tvml6EGkmT/vu3C8FZPb8kBvA5+ljaThjudbS
ztFM9nOxHUWDzlTbAvajwKncFlz15KXsIVzsLsFLThbCGXxwNBmKx7ZnfQPW
5G3UwBFJhyjnI2KXyD0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgIEOGPp/DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UE ChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0 OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAx OTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENl cnRpj
LjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L3JwYSBpcyBpbmNvcnBvcmF0 ZWQg
YnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAwOSBFbnRydXN0LCBJbmMu MS4w
LAYDVQQDEyVFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFD MIIB
AQABo4IBCzCCAQcwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w MwYI
KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0 Lm5l
dDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmVudHJ1c3QubmV0LzIw NDhj
YS5jcmwwOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6 Ly93
P93kDv4LPrmY2TKVHTL0Ae6cyMjlP+BTdmL83attPZSQ8sCzPJgnNl4olyL8 G0DT
Kw2ttVdt3w/jS+9zAhBl+hvQrDHV4w/oujIwg+5K0L/fIpB6vuw6G8RJBB3x roB3
PEII26c7KKaAAQPmOaPr34BZG/MsvtxyRHmgbAelbU1EjkJoypR8Lja6hZ7N qsRe
PFS+/i/qaZ0cHimbltjI/lGQ8SSmkAaz8Cmi/3gud1xFIdlEADHzvjJP9Qoy Dfz8
uhZ2VrLWSJLyi6Y+t6xcaeoLP2ZFuQ==
-----END CERTIFICATE-----


The top part is the Certificate and the bottom part is the Cross Certificate

I then imorted this appended *.crt file then followed up with a stop then start of the mail service.

The issue was resolved.

One more note: The bad cert report at the top of the end-user webmail browser may still be in cache, The site error will not be present when attempting to log in but the pink error address banner may still be present until the browser cache is cleared.

[Updated on: Wed, 21 April 2010 03:21]


JBBOBIAK
Never trust a user
[img=images/smiley_icons/icon_smile.gif]Smile[/img]
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The case with intermediate certificates are described in the manual: http://manuals.kerio.com/connect/adminguide/en/sect-kmscert. html. I wonder why Entrust calls it "Cross Certificate" though.

  •  
jbbobiak

Messages: 6

Karma: 0
Send a private message to this user
I read that in the Kerio Connect manual too. I read somewhere in the Entrust support site where they "DO NOT" issue intermediate certificates as well. That's why I got tripped up when installing the new Cert. I don't know the difference between one or the other. Maybe they are the same thing...Terminology is everything. Wink Maybe the term "Cross Certificate" should be added to the Kerio Connect manual since the procedure is the same?

JBBOBIAK
Never trust a user
[img=images/smiley_icons/icon_smile.gif]Smile[/img]
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Well, a "Cross Certificate" is a root certificate which is signed by the root certificate of a different CA. An intermediate certificate achieves the same thing, but both root certs are from the same CA in the latter case. That's my experience at least.

Technically the two are indistuingishable for the admin, not to mention the end user. But since the world's current PKI infrastructure basically is a marketdroid pissing contest and quite a lot of FUD, I assume some guy in a suit somewhere thinks the difference in nomenclature is of the utmost importance.

Signing certificates with your own root certificate and distributing the public part of it to all your clients is actually rather easy, but for MS, Verisign and all the others, it can't be made foggy or convoluted enough. It's almost a scam.

Sorry about the rant Wink
Previous Topic: Restoring Calendar data
Next Topic: Outlook Connector - Win 7 - No Push
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Sep 23 03:46:23 CEST 2017

Total time taken to generate the page: 0.00422 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.