using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista

[Julien ÉLIE]

Hi David,

> i have working nnrpd with SSL configuration. I am using my custom generated
> SSL certificate signed with my own Certification Authority. Each time i am
> accessing news in Windows Mail client i am getting message , that
> certificate is not trusted and cannot be verified.
> I want to get rid off this message by importing my custom CA (or probably
> custom certificate) into windows certification storage and make it trusted
> so i will not get this message again.

Yes, you have to import your root CA into your certification storage
(I use "mmc" to do that).


> So far, i have converted my cacert.pem to der format using :
> openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der
>
> Then, i have converted my nnrpd certificate to pk12 format using:
> openssl pkcs12 -export -clcerts -in nnrpd.cert.pem -inkey nnrpd.key.pem -out
> clcert.p12

It sounds complicated.
I do not know where the problem is but I can tell you what I did with
CURRENT INN, which has the following "make cert":

        $(SSLBIN) req -new -x509 -nodes \
            -out $(D)$(PATHLIB)/cert.pem -days 366 \
            -keyout $(D)$(PATHLIB)/key.pem
        chown $(RUNASUSER) $(D)$(PATHLIB)/cert.pem
        chgrp $(RUNASGROUP) $(D)$(PATHLIB)/cert.pem
        chmod 640 $(D)$(PATHLIB)/cert.pem
        chown $(RUNASUSER) $(D)$(PATHLIB)/key.pem
        chgrp $(RUNASGROUP) $(D)$(PATHLIB)/key.pem
        chmod 600 $(D)$(PATHLIB)/key.pem

I think your inn.conf (or sasl.conf) configuration is fine according
to what you tell.

I only did:

        cp key.pem news.trigofacile.com.crt

and imported news.trigofacile.com.crt as root CA in my certification storage.
No problem afterwards.


> Can someone help me please, or point me to solution?

Well, I do not know whether what I wrote could help you, but anyway,
better say it in case it helps.

-- 
Julien ÉLIE

« Pas question de faire voler un tapis volé ! » (Astérix)