Entourage - Exchange SSL connection in Leopard now WORKING.

[nix.hanno]

OK. After much frustration I finally have Entourage making an SSL connection to an Exchange server in Mac OS X Leopard after performing the OS installation from scratch.

All that is needed is your root certificate - no private key, no digital identity, no microsoft intermediate junk or any of that hullabaloo - just the root certificate only.

Now do the following:

1. Put the root certificate in your home folder.
2. Open a terminal.
3. Type the following:

sudo certtool i root_certificate.cer v k=/System/Library/Keychains/X509Anchors

Obviously replacing "root_certificate.cer" with your certificate filename.

The last line of output should read "...certificate successfully imported." If you get an error saying that the certificate is in the wrong format and needs to be in PEM format, then use the Microsoft Cert Manager to convert the certificate format by importing then exporting as PEM.

Ha - beat ya Microsoft! I'm a single guy that fixed this. You're a massive company with squillions of $$$ and hundreds if not thousands of people and you can't even fix this after 1 week! Why exactly should people buy or even use your crappy products for OUTRAGEOUS prices!?!?!!?

C'mon people, try get your boss / IT administrator etc. to switch to something else, preferably supporting an open standard file format - that way no-one will ever be tied down to using a particular vendors product.

Why did it break?

As it turns out, the X509Anchors file, as of Leopard, has been made obsolete - but not entirely... It can (and is) still read from, but cannot be written to - at least not with any GUI interface like Apple Keychain or Microsoft Cert Manager.

As Entourage looks at this X509Anchors file for the Root Certificate and not in the new SystemCA/RootCertificates.keychain files, of course it's not going to find it! This also explains why people that upgraded rather than fresh installed did not encounter this age old problem again.

So Microsoft, if you're still in the complete darkness and have no clue what i'm going on about, to fix this problem from your end, send out an update that makes Office for Mac look in the SystemCACertificates.keychain and SystemRootCertificates.keychain files for root certificates and don't remove the parsing of the X509Anchors file just yet either or you'll break it again! People need time to make the switch...

[zigginl]

Great post - thnx, but I'm trying to make this work with the 2008 (beta, I know) version... do you have any tips/suggestions there?

[GJSchaller]

Bah!

Apparently, Microsoft has declared Entourage 2004 as "no longer being updated," since 2008 is on the way - we may not see a fix for this short of moving to 2008. Hopefully, they fixed it for that version...

[snugharbor]

Actually Office 2008 Entourage has NOT fixed the SSL problem but now the work around does not work. Get this error:

the keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.

[m4change]

Quote:

Originally Posted by nix.hanno

OK. After much frustration I finally have Entourage making an SSL connection to an Exchange server in Mac OS X Leopard after performing the OS installation from scratch.

All that is needed is your root certificate - no private key, no digital identity, no microsoft intermediate junk or any of that hullabaloo - just the root certificate only.

Now do the following:

1. Put the root certificate in your home folder.
2. Open a terminal.
3. Type the following:

sudo certtool i root_certificate.cer v k=/System/Library/Keychains/X509Anchors

Obviously replacing "root_certificate.cer" with your certificate filename.

The last line of output should read "...certificate successfully imported." If you get an error saying that the certificate is in the wrong format and needs to be in PEM format, then use the Microsoft Cert Manager to convert the certificate format by importing then exporting as PEM.

Ha - beat ya Microsoft! I'm a single guy that fixed this. You're a massive company with squillions of $$$ and hundreds if not thousands of people and you can't even fix this after 1 week! Why exactly should people buy or even use your crappy products for OUTRAGEOUS prices!?!?!!?

C'mon people, try get your boss / IT administrator etc. to switch to something else, preferably supporting an open standard file format - that way no-one will ever be tied down to using a particular vendors product.

Why did it break?

As it turns out, the X509Anchors file, as of Leopard, has been made obsolete - but not entirely... It can (and is) still read from, but cannot be written to - at least not with any GUI interface like Apple Keychain or Microsoft Cert Manager.

As Entourage looks at this X509Anchors file for the Root Certificate and not in the new SystemCA/RootCertificates.keychain files, of course it's not going to find it! This also explains why people that upgraded rather than fresh installed did not encounter this age old problem again.

So Microsoft, if you're still in the complete darkness and have no clue what i'm going on about, to fix this problem from your end, send out an update that makes Office for Mac look in the SystemCACertificates.keychain and SystemRootCertificates.keychain files for root certificates and don't remove the parsing of the X509Anchors file just yet either or you'll break it again! People need time to make the switch...

I'm using Entourage 2004 and this fix isn't working for me. Here's the error message I get:

The keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.

Eerily similar to the error reported by the Office 2008 user.

Anyone have any ideas? Quite frustrating.

[paenguin]

same error i got.
anyone got a workaround on this?

[paenguin]

Quote:

Originally Posted by paenguin

same error i got.
anyone got a workaround on this?

i found this .
sure worked the certificate issue.

[jmcleveland]

In trying to learn how to fix the Entourage exchange server certificate issue, everyone keeps mentioning the users root certificate that you use to solve the problem with. Hey guys, where in the world is this certificate that you seem to think everyone else knows where to find it. I'm trying to fix this issue on a friends new MacBook that came loaded with Leopard. I personally run previous Tiger 10.4.11, which does not have any certificates I can find using KeyChain Access. Microsoft Cert Manager does show certificates, but only in the "Apple Trusted Root Certificate Authorities" no other show up on any of the other changes in the "Look for certificates of type:". My computer and my friends both use the same ISP (AT&T).

Any info on where to find the root certificate he needs from AT&T?

Thanks
John C.

[j0ebeer]

Quote:

Originally Posted by jmcleveland

In trying to learn how to fix the Entourage exchange server certificate issue, everyone keeps mentioning the users root certificate that you use to solve the problem with. Hey guys, where in the world is this certificate that you seem to think everyone else knows where to find it. I'm trying to fix this issue on a friends new MacBook that came loaded with Leopard. I personally run previous Tiger 10.4.11, which does not have any certificates I can find using KeyChain Access. Microsoft Cert Manager does show certificates, but only in the "Apple Trusted Root Certificate Authorities" no other show up on any of the other changes in the "Look for certificates of type:". My computer and my friends both use the same ISP (AT&T).

Any info on where to find the root certificate he needs from AT&T?

Thanks
John C.

I have the same concern/issue as John. Where do you get this certificate?

[pytter]

I have been tearing my hair out over this one and am equally miffed about how to get hold of the certificate, especially as I am using a hosted exchange account.

I am using Entourage 2008 on a MBP running 10.5.4

The problem arose when I migrated from my old iBook running 10.4

In desperation I dug around the Microsoft knowledge base and found a solution that has worked for me - it is very simple:

add "/exchange/user@mail.com" to the end of the exchange server details in the account set-up
Note: user@mail.com is a placeholder for your default SMTP address.

for the complete article from the knowledge base:
http://support.microsoft.com/kb/931350

What a relief!

[Lershac]

This issue has been bothering me for some time, and now I find the solution in just casual browsing when searching didnt work. My google-fu must be weak!

[Lershac]

Quote:

Originally Posted by j0ebeer

I have the same concern/issue as John. Where do you get this certificate?

If in firefox, when firefox complains about the root certificate, add an exception and keep going into the advanced or more dialog boxes, there is an option to view the certificate, and then there is an option to export it. That is how I got mine.

[buyvigrx]

Wow! Thank you! I always wanted to write in my site something like that. Can I take part of your post to my blog?