This page is an archive, possibly an out-of-date one. You’ll find newer weblog postings at So… and more about norm on his homepage.

Of .p12 certs, email, and exim

Volume 15, Issue 8; 08 Mar 2012

Sending mail with a .p12 certificate using Exim.

It was way harder to figure this out than it ever ought to have been. This essay is left as a breadcrumb for the next hapless soul trying to work it out…

I don't send email using Lookout! or connect to the corporate email server with any of the Microsoft proprietary protocols. But our IT folks quite reasonably refuse to deliver email from untrusted sources.

The other email relay I use (the excellent “mailhop” service apparently recently rebranded Dyn Standard SMTP) handles this problem with authentication; I had to configure my MTA to connect with a username and password. That was relateively straightforward.

Our corporate server requires instead that I connect using TLS with a particular certificate. To this end, I was issued a “.p12” certificate.

Now the challenge was, how do I tell Exim to connect using that certificate?

  1. You can't. A .p12 certificate is some sort of binary representation of multiple parts of a key/certificate pair. Or something.

  2. So what you have to do is extract the certificate part and the key part from the .p12 file so that you can use them in Exim. This worked for me:

    $ openssl pkcs12 -nocerts -in nwalsh.cert.p12 -out nwalsh.p12.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$ openssl pkcs12 -nokeys -in nwalsh.cert.p12 -out nwalsh.p12.cert
Enter Import Password:
MAC verified OK

    Obviously, you have to know the password with which the .p12 file is encrypted. You also have to specify a pass phrase when you create the .key file; at least, when I didn't, I didn't get a valid .key file.

  3. Trouble is, now you have a .key file that has a passphrase. If there's a way to configure Exim to use that passphrase, I don't know what it is. But this suggestion to remove the passphrase worked:

    $ cp nwalsh.p12.key nwalsh.p12.key.ORIG
$ openssl rsa -in nwalsh.p12.key.ORIG -out nwalsh.p12.key

  4. Finally, I configured the Exim transport that I use to connect to our corporate server to use the extracted certificate and key:

    remote_smtp_marklogic:
  debug_print = "T: remote_smtp_marklogic for $local_part@$domain"
  driver = smtp
  port = portnumber
  hosts_require_tls = servername.marklogic.com
  tls_certificate = /usr/local/exim/nwalsh.p12.cert
  tls_privatekey = /usr/local/exim/nwalsh.p12.key

Problem solved. And more quickly for you, I hope.