MSSL User Note #26

The MSSL Certification Authority

Paul Lamb v1.3.1 13-Jul-2007

DEPRECATED

Very briefly...

Encyption commonly uses two keys:

First, a private (secret) key held in a file used to decrypt messages sent to you.

Secondly, a public key which is distributed in a "Certificate file" which allows people to encrypt messages to you. The certificate includes the name of its owner (or a service).

Certificates are digitally "signed" (validated) by a Certification Authority (CA) whose name is also included on the certificate. Browsers which recognise the CA can verify the signature on that Certificate,

Browsers which do not recognise the CA will generate lots of irritating messages. You will see these increasingly as services make use of encryption.

You can stop the irritating browser messages about unverifiable MSSL certificates by making your browser aware of the MSSL Certification Authority. This is what you do...


The MSSL Certification Authority certificate

If needed, this is available in human-readable (X.509) form and in encoded form (PEM). It has this fingerprint .


Adding the MSSL Certification Authority to Mozilla Thunderbird

Save the MSSL CA certificate. to a local file (right click; save link target), remembering the local file name and location.

In Mozilla Thunderbird (or Mozilla Firefox), go to Tools:Options

Select 'Manage Certificates'.

Press the 'Authorities' tab then press 'Import'.

Select the local file containing the MSSL CA certificate.

Select all the trust options and press OK three times.


Adding the MSSL Certification Authority to Mozilla (v1.5)

Save the MSSL CA certificate. to a local file (right click; save link target), remembering the local file name and location.

In Mozilla, go to Select Edit:Preferences and expand 'Privacy & Security'.

Select 'Certificates' then Manage Certificates'.

Press the 'Authorities' tab then press 'Import'.

Select the local file containing the MSSL CA certificate.

Select all the trust options and press OK three times.


Adding the MSSL Certification Authority to Outlook (Windows 98)

Save the MSSL CA certificate. to a local file (right click; save target as), remembering the local file name and location.

In Outlook go to Tools:Options.

Press the 'Security tab' then select 'Digital IDs' to enter the certificate manager.

Press 'Trusted Root Certification Authorities' tab then press 'Import'.

Select the local file containing the MSSL CA certificate and press 'Next'

Select 'Finish' and accept the certificate

Close the certificate manager.


Adding the MSSL Certification Authority to Outlook (Windows 2000)

Save the MSSL CA certificate. to a local file (right click; save target as), remembering the local file name and location.

In Internet Explorer go to Tools: Internet Options.

Press the 'Contents' tab then select 'Certificates'

Press 'Trusted Root Certification Authorities' tab then press 'Import'.

Select the local file containing the MSSL CA certificate and press 'Next'

Select 'Finish' and accept the certificate

Close the certificate manager.


Adding the MSSL Certification Authority to Unix

Find the location of the SSL certificates (try /usr/local/ssl/certs/ or /usr/share/ssl/certs/ or /etc/pki/tls/certs); cd to there.

Obtain copies of the the MSSL certificate in x.509 form (MSSL_signing_certificate.crt.x509.txt) and in PEM encoded form (MSSL_signing_certificate.pem.

Makes SSL aware of the MSSL Certification Authority

cat MSSL_signing_certificate.crt.x509.txt MSSL_signing_certificate.pem >> ca-bundle.crt

Note the above is an append.

chmod o+r MSSL_signing_certificate.pem ca-bundle.crt

To accommodate those utilities (e.g. pine) which access this certificate via a hash (use sh or bash)

CERT=MSSL_signing_certificate.pem

ln -s $CERT `openssl x509 -noout -hash < $CERT`.0

Shell beginners should note carefully the syntax here: the command between backquotes is executed and the output substituted. Here the hash evaluates to 8e50763e

Check that 8e50763e.0 (or whatever) is a softlink to MSSL_signing_certificate.pem


Paul Lamb
26-Apr-2004 21-May-2004 22-June-2004,3-Aug-2004,14-Jan-2005,13-Jul-2007