X.509 encryption certificates form the backbone of SSL, an encryption protocol used for everything from Web browsing to sending and receiving email securely. Most products with SSL support in the Windows world rely on the system to store and manage X.509 encryption certificates. In the UNIX world applications are often on their own for X.509 certificate management, making things slightly more difficult.
For most users wishing to use SSL-enabled services, such as HTTP, SMTP, IMAP, POP and so on, finding a client and server capable of supporting it is relatively easy. But for many of us the cost involved in getting a certificate signed by an entity such as Verisign (especially when it requires a yearly renewal fee) can cause problems, assuming of course Verisign will even issue you a certificate of the type you want (outside of standard HTTP certificates you are usually on your own). Consequently, many organizations choose to create self-signed, individual certificates -- avoiding the setup of a certificate authority -- if all they need is a half dozen certificates or fewer. This in turn leads to a new problem: users being prompted to accept an SSL certificate every time they use a service, or in the case of Outlook, being prompted every time they attempt to download e-mail! Of course with a certificate signed by Verisign this would be no problem, since the signing certificate used by Verisign would be installed into Windows.
It follows that the solution is to install your own certificates into Windows on a permanent basis, thus preventing users from being continually prompted to accept certificates. And this is the point where things usually fall apart, since most applications, such as Outlook Express, do not have the ability to import certificates from a server -- leaving users to click "Use this server" every time they check for email.
Fortunately the answer is simple and quick. Using Internet Explorer, load the URL for the service; for example, with a SSL-enabled IMAP server running on "imap.example.com," place the following URL into the Address bar:
https://imap.server.com:993/
The users will be prompted with the normal certificate dialog, and if they choose to install the certificate it will then be available to Outlook Express and other applications that make use of the Windows certificate management.
The following is a list of common SSL-enabled services and their port numbers:
SSL IMAP 993
SSL POP 995
SSL HTTP 443
SSL SMTP 465
SSL NNTP 563
SSL LDAP 636
Point Internet Explorer at the server and the appropriate port; you will be able to install the certificate with ease. To make life easier for users, you can also export the certificates, allowing for distribution in custom builds of Internet Explorer, for example, or housed on a company Intranet site.
About the author
Kurt Seifried is an Information Security Analyst with interests ranging from Microsoft and UNIX systems to network protocols and encryption (to name but a few). He has written a large number of articles (available online) and maintains many resources on his Website. He was formerly the senior analyst and main writer for SecurityPortal. Visit his site at http://seifried.org/security/.
