Community Discussions and Support
External SSL certificate, how to import?

There is an update for Mercury, v4.80, being beta tested right now, and one of the main changes is that Cryptlib has been replaced by OpenSSL. With this version it will be possible to use certificates from any CA. I don't have a release date yet though.

/Rolf 

<p>There is an update for Mercury, v4.80, being beta tested right now, and one of the main changes is that Cryptlib has been replaced by OpenSSL. With this version it will be possible to use certificates from any CA. I don't have a release date yet though.</p><p>/Rolf </p>

The new Mercury 4.72 finally support "old style" SSL, i.e. TLS via a designated port. This is good! We can ditch stunnel now.

But I still can't find any word on how to import our own server certificate. Creating a self-signed certificate is easy, but I can't find the instructions on how to import a "real" certificate. The help file doesn't even mention the file the cert is stored in (it seems to be "Certificate"), but I cannot find out what file format is used. I can create a key pair with openssl and have it signed in house, but I'm stumped as to how to get our cert into Mercury.

Any ideas?

 

Greetings

Markus

 

<P>The new Mercury 4.72 finally support "old style" SSL, i.e. TLS via a designated port. This is good! We can ditch stunnel now.</P><P>But I still can't find any word on how to import our own server certificate. Creating a self-signed certificate is easy, but I can't find the instructions on how to import a "real" certificate. The help file doesn't even mention the file the cert is stored in (it seems to be "Certificate"), but I cannot find out what file format is used. I can create a key pair with openssl and have it signed in house, but I'm stumped as to how to get our cert into Mercury.</P><P>Any ideas?</P><P> </P><P>Greetings</P><P>Markus</P><P> </P>

Slight correction: You have to specify the file name for the certificate, so that is no mystery (it's been a while since I last clicked on "create" certificate"). But still, no indication what file format is used.

Also, there actually is an "import" button, but it is greyed out, no explanation given.

Greetings

Markus

 

<P>Slight correction: You have to specify the file name for the certificate, so that is no mystery (it's been a while since I last clicked on "create" certificate"). But still, no indication what file format is used.</P><P>Also, there actually is an "import" button, but it is greyed out, no explanation given.</P><P>Greetings</P><P>Markus</P><P> </P>

Creating a self-signed certificate is easy, but I can't find the instructions on how to import a "real" certificate.
You can't find it because it's not there.  Mercury/32 only uses self-signed certificates.  
<blockquote>Creating a self-signed certificate is easy, but I can't find the instructions on how to import a "real" certificate.</blockquote>You can't find it because it's not there.  Mercury/32 only uses self-signed certificates.  

Well, I figured that there is no easy import routine. The point is, I need to use a signed certificate, not a self signed. I can produce certificates in all kinds of formats and encrypt the file with a password, I just need to know what format to use and which password (if any).

 

Greetings

Markus

 

<P>Well, I figured that there is no easy import routine. The point is, I need to use a signed certificate, not a self signed. I can produce certificates in all kinds of formats and encrypt the file with a password, I just need to know what format to use and which password (if any).</P><P> </P><P>Greetings</P><P>Markus</P><P> </P>

Well, I figured that there is no easy import routine. The point is, I

need to use a signed certificate, not a self signed. I can produce

certificates in all kinds of formats and encrypt the file with a

password, I just need to know what format to use and which password (if

any).

Mercury/32 only uses self-signed certificates and so if you need a real certificate then you need to use STunnel.
<blockquote>Well, I figured that there is no easy import routine. The point is, I need to use a signed certificate, not a self signed. I can produce certificates in all kinds of formats and encrypt the file with a password, I just need to know what format to use and which password (if any).</blockquote>Mercury/32 only uses self-signed certificates and so if you need a real certificate then you need to use STunnel.

That's the setup we have at the moment: Use Mercurys internal method for StartTLS on the unencrypted port (with Mercurys self signed certificate) and STunnel for the designated TLS port (called "SSL" usually, though it is TLS now).

This setup has several problems: First, I do not see IP addresses of "SSL"-users, since they go through stunnel. This makes trouble shooting very tiresome. Second, our users are presented with two different certificates, depending on which flavor of encryption method they use. This is confusing.

Since you say, Mercury only uses self-signed certificates, where does it store it's private an public key? The certificate file looks a bit small to contain more than the certificate itself, but I might be mistaken. Perhaps keys and certs are stored in Windows certificate store?

If I know where stuff is stored, and in which format, I might be able to figure out by myself how to place our external cert there. I just need a little more information.

Greetings

Markus Borst

 

<P>That's the setup we have at the moment: Use Mercurys internal method for StartTLS on the unencrypted port (with Mercurys self signed certificate) and STunnel for the designated TLS port (called "SSL" usually, though it is TLS now).</P><P>This setup has several problems: First, I do not see IP addresses of "SSL"-users, since they go through stunnel. This makes trouble shooting very tiresome. Second, our users are presented with two different certificates, depending on which flavor of encryption method they use. This is confusing.</P><P>Since you say, Mercury only uses self-signed certificates, where does it store it's private an public key? The certificate file looks a bit small to contain more than the certificate itself, but I might be mistaken. Perhaps keys and certs are stored in Windows certificate store?</P><P>If I know where stuff is stored, and in which format, I might be able to figure out by myself how to place our external cert there. I just need a little more information.</P><P>Greetings</P><P>Markus Borst</P><P> </P>

any idea if David have included the use of SSL signed certificates on the development roadmap?

any idea if David have included the use of SSL signed certificates on the development roadmap?

Yes he has - but nothing said about time estimates.

You may want to explore how to create/convert SSL certs via OpenSSL - I've seen something like:

[quote]openssl pkcs12 -in "c:\pkcs12-filename.pfx" -nocerts -out C:\domainname.key openssl pkcs12 -in "c:\pkcs12-filename.pfx" -clcerts -nokeys -out C:\domainname.crt[/quote]
<P>Yes he has - but nothing said about time estimates.</P> <P>You may want to explore how to create/convert SSL certs via OpenSSL - I've seen something like: </P>[quote]openssl pkcs12 -in "c:\pkcs12-filename.pfx" -nocerts -out C:\domainname.key openssl pkcs12 -in "c:\pkcs12-filename.pfx" -clcerts -nokeys -out C:\domainname.crt[/quote]

Does this actually work? As far as I know, it's a bit unclear how Mercury stores it's key and (self-signed) cert, since the one file it generates seems not big enough to store both. Also, the file is encrypted somehow, so we need a way to tell Mercury which password to use.

This is acutally my original question which started this thread: How to save my own cert, so that Mercury uses it?

Have you been able to actually import an external cert?

 

Greetings

Markus

 

<P>Does this actually work? As far as I know, it's a bit unclear how Mercury stores it's key and (self-signed) cert, since the one file it generates seems not big enough to store both. Also, the file is encrypted somehow, so we need a way to tell Mercury which password to use.</P><P>This is acutally my original question which started this thread: How to save my own cert, so that Mercury uses it?</P><P>Have you been able to actually import an external cert?</P><P> </P><P>Greetings</P><P>Markus</P><P> </P>

The cert is stored in "pkcs #15" format by a library called "cryptlib"

The protocol (afaik) does not allow for export, as it is designed for smartcards, but I do note that you can easily extract the actual certificate from the running server.

 for that, you need a copy of openssl, and to run the following command:

 openssl s_client -starttls smtp -showcerts -connect 127.0.0.1:25

 and the big block of bin64 in the middle is the cert in pem format :)

<p>The cert is stored in "pkcs #15" format by a library called "cryptlib"</p><p>The protocol (afaik) does not allow for export, as it is designed for smartcards, but I do note that you can easily extract the actual certificate from the running server.</p><p> for that, you need a copy of openssl, and to run the following command:</p><p> openssl s_client -starttls smtp -showcerts -connect 127.0.0.1:25</p><p> and the big block of bin64 in the middle is the cert in pem format :) </p>

Thanks Dave, but your instructions allow to export the self signed certificate from Mercury, presumably to pre-install it into a mail-client.

The question was how to import an external, "official" certificate from a commercial cert provider, or from once own pki infrastructure for that matter. As far as I know, this is not (yet) possible with Mercury.


Greetings

Markus


<p>Thanks Dave, but your instructions allow to export the self signed certificate from Mercury, presumably to pre-install it into a mail-client.</p><p>The question was how to import an external, "official" certificate from a commercial cert provider, or from once own pki infrastructure for that matter. As far as I know, this is not (yet) possible with Mercury.</p><p> </p><p>Greetings</p><p>Markus</p><p> </p>

Was there any updates to this?

Is it possible to get a signed certificate from a "real" CA to import for SMTP TLS/SSL (so the STARTTLS) will work without using the internal self signed certificate?

Cheers
Ad

Was there any updates to this? Is it possible to get a signed certificate from a "real" CA to import for SMTP TLS/SSL (so the STARTTLS) will work without using the internal self signed certificate? Cheers Ad
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft