Of .p12 certs, email, and exim
Sending mail with a .p12 certificate using Exim.
It was way harder to figure this out than it ever ought to have been. This essay is left as a breadcrumb for the next hapless soul trying to work it out…
I don't send email using Lookout! or connect to the corporate email server with any of the Microsoft proprietary protocols. But our IT folks quite reasonably refuse to deliver email from untrusted sources.
The other email relay I use (the excellent “mailhop” service apparently recently rebranded Dyn Standard SMTP) handles this problem with authentication; I had to configure my MTA to connect with a username and password. That was relateively straightforward.
Our corporate server requires instead that I connect using TLS with a particular certificate. To this end, I was issued a “.p12” certificate.
Now the challenge was, how do I tell Exim to connect using that certificate?
-
You can't. A .p12 certificate is some sort of binary representation of multiple parts of a key/certificate pair. Or something.
-
So what you have to do is extract the certificate part and the key part from the .p12 file so that you can use them in Exim. This worked for me:
$
openssl pkcs12 -nocerts -in nwalsh.cert.p12 -out nwalsh.p12.key
Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
$
openssl pkcs12 -nokeys -in nwalsh.cert.p12 -out nwalsh.p12.cert
Enter Import Password: MAC verified OK
Obviously, you have to know the password with which the .p12 file is encrypted. You also have to specify a pass phrase when you create the .key file; at least, when I didn't, I didn't get a valid .key file.
-
Trouble is, now you have a .key file that has a passphrase. If there's a way to configure Exim to use that passphrase, I don't know what it is. But this suggestion to remove the passphrase worked:
$
cp nwalsh.p12.key nwalsh.p12.key.ORIG
$
openssl rsa -in nwalsh.p12.key.ORIG -out nwalsh.p12.key
-
Finally, I configured the Exim transport that I use to connect to our corporate server to use the extracted certificate and key:
remote_smtp_marklogic: debug_print = "T: remote_smtp_marklogic for $local_part@$domain" driver = smtp port =
portnumber
hosts_require_tls =servername
.marklogic.com tls_certificate = /usr/local/exim/nwalsh.p12.cert tls_privatekey = /usr/local/exim/nwalsh.p12.key
Problem solved. And more quickly for you, I hope.