Ok solved my own problem. Steps to take to make it work
1.) Find and modify the cert inf file, newreq.inf will work and I've enclosed a copy in this thread. 2.) After modifying the newreq.inf file for the FQDN run certreq -new newreq.inf imaps.mycomp.com.req 3.) Move this over to your openssl CA and signed. 4.) Move a copy of your certificate over to you Exchange 2003 server. 5.) certreq -accept imaps.mycomp.com.cert 6.) Open MMC snap in for certificate and take a look at local computer -> personal certificate. Double click on your new certificate and make sure it has "This certificate has a private key that matches" at the bottom. 7.) Open up Exchange System Manager gui and go to Administrator Groups -> First Admnistrative Group -> Servers -> YOUREXCHGSERVR -> Queues -> Protocols -> IMAP4 -> Default IMAP4, right mouse click and choose properties. From there you should see the virtual server properties dialog box. Choose the Access tab then choose Certificate button. You should get welcome to certificate wizard, clck next and choose/tick "replace the current certificate", then next. You will be shown a list of certificate in the computer's local personal group. Choose the imaps.mycomp.com certificate and click next. This will bind the certificate of choice to the IMAP4 service. you can this test this using the openssl s_client -connect service:993 command. Hopefully this will help someone at there! ------------------newreq.inf --------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=imaps.mycomp.com" ;add your server FQDN KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 -------------------------------------------- --- ray v <[EMAIL PROTECTED]> wrote: > Hi Team! All! > > I'm just googled to death and need help on this one. > > > Server 2003 > Exchange 2003 > Latest patches...all of them.. > > Last year I generated cert requests with the > certutil -new myserver.inf myservers.req > > When generating the certificate I use > extendedKeyUsage > = 1.3.6.1.5.5.7.3.1 for Server authentication. An > importing the certificate everything worked fine. > > fast forward July 2006 and I had a couple of Windows > 2003 servers that needed certs. While following the > process I had set up from last year. I had trouble > and > found out that I can't use the -new flag with > certutil.exe. I tried a few suggestions from google > research, some variants for generating request while > leaving the private key in the key store actually > worked to make the request. But once again I had > trouble after importing certificates. The Windows > certificate manager would show the certificate as > being accepted and good. But on closer inspection I > saw that Windows could not fine the private key to > match the certificate. This lead me to believe some > sort of key indexing was going on, though I have no > idea how. > > I decide to create the key, req and cert then > package > key and cert in a PKCS12/pfx file. This time > certificate manager shows the certificate as good > and > matching. On testing SLDAP everything worked fine. > > fast forward to the present.. > None of the procedures I listed above will work. > Cert > manager shows the certificate as good and matching > but > I can not get a connection to imaps 993 or pops 593. > If I over write the certutil from the adminpack 1 I > can use the -new flag but the certificate show an > un-matching private key message. > > When using openssl s_client -debug -connect I get > the > following > > read from 0x9d62d98 [0x9d68340] (7 bytes => 0 (0x0)) > 25945:error:140790E5:SSL routines:SSL23_WRITE:ssl > handshake failure:s23_lib.c:188: > > The only thing that appears in Event viewer is the > following > > IMAP4SVC: Event ID: 1055 > The server certificate for instance '1' could not be > retrieved because it could not be found in a > certificate store; the error encountered was > '0x80092004' > > I'm still researching the meaning of this message > but > I think its pretty clear something is going on with > the way the private key is being handled. > > If anyone has another procedure that works for them > I > would very much appreciate knowing about it! > > cheers! > If you want to know who "THE MAN" is and why he's > holding us down. I have to words for you "Windows" > and > "Proprietary". > > > > > > > > > ____________________________________________________________________________________ > Sponsored Link > > Mortgage rates near 39yr lows. > $420k for $1,399/mo. Calculate new payment! > www.LowerMyBills.com/lre > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
