Entourage - Exchange SSL connection in Leopard now WORKING.

nix.hanno

macrumors newbie
Original poster
Nov 2, 2007
6
0
Oz
OK. After much frustration I finally have Entourage making an SSL connection to an Exchange server in Mac OS X Leopard after performing the OS installation from scratch.

All that is needed is your root certificate - no private key, no digital identity, no microsoft intermediate junk or any of that hullabaloo - just the root certificate only.

Now do the following:

1. Put the root certificate in your home folder.
2. Open a terminal.
3. Type the following:

sudo certtool i root_certificate.cer v k=/System/Library/Keychains/X509Anchors

Obviously replacing "root_certificate.cer" with your certificate filename.

The last line of output should read "...certificate successfully imported." If you get an error saying that the certificate is in the wrong format and needs to be in PEM format, then use the Microsoft Cert Manager to convert the certificate format by importing then exporting as PEM.

Ha - beat ya Microsoft! I'm a single guy that fixed this. You're a massive company with squillions of $$$ and hundreds if not thousands of people and you can't even fix this after 1 week! Why exactly should people buy or even use your crappy products for OUTRAGEOUS prices!?!?!!?

C'mon people, try get your boss / IT administrator etc. to switch to something else, preferably supporting an open standard file format - that way no-one will ever be tied down to using a particular vendors product.

Why did it break?

As it turns out, the X509Anchors file, as of Leopard, has been made obsolete - but not entirely... It can (and is) still read from, but cannot be written to - at least not with any GUI interface like Apple Keychain or Microsoft Cert Manager.

As Entourage looks at this X509Anchors file for the Root Certificate and not in the new SystemCA/RootCertificates.keychain files, of course it's not going to find it! This also explains why people that upgraded rather than fresh installed did not encounter this age old problem again.

So Microsoft, if you're still in the complete darkness and have no clue what i'm going on about, to fix this problem from your end, send out an update that makes Office for Mac look in the SystemCACertificates.keychain and SystemRootCertificates.keychain files for root certificates and don't remove the parsing of the X509Anchors file just yet either or you'll break it again! People need time to make the switch...
 

zigginl

macrumors newbie
Dec 24, 2007
1
0
Great post - thnx, but I'm trying to make this work with the 2008 (beta, I know) version... do you have any tips/suggestions there?
 
Comment

GJSchaller

macrumors newbie
Oct 18, 2007
21
1
White Plains, NY
Bah!

Apparently, Microsoft has declared Entourage 2004 as "no longer being updated," since 2008 is on the way - we may not see a fix for this short of moving to 2008. Hopefully, they fixed it for that version...
 
Comment

snugharbor

macrumors member
Oct 17, 2007
82
0
Actually Office 2008 Entourage has NOT fixed the SSL problem but now the work around does not work. Get this error:

the keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.
 
Comment

m4change

macrumors newbie
Feb 16, 2008
3
0
entourge root fix: Not working w/ 2004 & 10.5.2 :(

OK. After much frustration I finally have Entourage making an SSL connection to an Exchange server in Mac OS X Leopard after performing the OS installation from scratch.

All that is needed is your root certificate - no private key, no digital identity, no microsoft intermediate junk or any of that hullabaloo - just the root certificate only.

Now do the following:

1. Put the root certificate in your home folder.
2. Open a terminal.
3. Type the following:

sudo certtool i root_certificate.cer v k=/System/Library/Keychains/X509Anchors

Obviously replacing "root_certificate.cer" with your certificate filename.

The last line of output should read "...certificate successfully imported." If you get an error saying that the certificate is in the wrong format and needs to be in PEM format, then use the Microsoft Cert Manager to convert the certificate format by importing then exporting as PEM.

Ha - beat ya Microsoft! I'm a single guy that fixed this. You're a massive company with squillions of $$$ and hundreds if not thousands of people and you can't even fix this after 1 week! Why exactly should people buy or even use your crappy products for OUTRAGEOUS prices!?!?!!?

C'mon people, try get your boss / IT administrator etc. to switch to something else, preferably supporting an open standard file format - that way no-one will ever be tied down to using a particular vendors product.

Why did it break?

As it turns out, the X509Anchors file, as of Leopard, has been made obsolete - but not entirely... It can (and is) still read from, but cannot be written to - at least not with any GUI interface like Apple Keychain or Microsoft Cert Manager.

As Entourage looks at this X509Anchors file for the Root Certificate and not in the new SystemCA/RootCertificates.keychain files, of course it's not going to find it! This also explains why people that upgraded rather than fresh installed did not encounter this age old problem again.

So Microsoft, if you're still in the complete darkness and have no clue what i'm going on about, to fix this problem from your end, send out an update that makes Office for Mac look in the SystemCACertificates.keychain and SystemRootCertificates.keychain files for root certificates and don't remove the parsing of the X509Anchors file just yet either or you'll break it again! People need time to make the switch...
I'm using Entourage 2004 and this fix isn't working for me. Here's the error message I get:

The keychain you are accessing, X509Anchors, is no longer
used by Mac OS X as the system root certificate store.
Please read the security man page for information on the
add-trusted-cert command. New system root certificates should
be added to the Admin Trust Settings domain and to the
System keychain in /Library/Keychains.

Eerily similar to the error reported by the Office 2008 user.

Anyone have any ideas? Quite frustrating.
 
Comment

jmcleveland

macrumors newbie
Mar 16, 2008
1
0
Cupertino, CA
where do you get the root certificate

In trying to learn how to fix the Entourage exchange server certificate issue, everyone keeps mentioning the users root certificate that you use to solve the problem with. Hey guys, where in the world is this certificate that you seem to think everyone else knows where to find it. I'm trying to fix this issue on a friends new MacBook that came loaded with Leopard. I personally run previous Tiger 10.4.11, which does not have any certificates I can find using KeyChain Access. Microsoft Cert Manager does show certificates, but only in the "Apple Trusted Root Certificate Authorities" no other show up on any of the other changes in the "Look for certificates of type:". My computer and my friends both use the same ISP (AT&T).

Any info on where to find the root certificate he needs from AT&T?

Thanks
John C.
 
Comment

j0ebeer

macrumors member
Mar 5, 2007
42
0
Ditto, where's the certificate?

In trying to learn how to fix the Entourage exchange server certificate issue, everyone keeps mentioning the users root certificate that you use to solve the problem with. Hey guys, where in the world is this certificate that you seem to think everyone else knows where to find it. I'm trying to fix this issue on a friends new MacBook that came loaded with Leopard. I personally run previous Tiger 10.4.11, which does not have any certificates I can find using KeyChain Access. Microsoft Cert Manager does show certificates, but only in the "Apple Trusted Root Certificate Authorities" no other show up on any of the other changes in the "Look for certificates of type:". My computer and my friends both use the same ISP (AT&T).

Any info on where to find the root certificate he needs from AT&T?

Thanks
John C.
I have the same concern/issue as John. Where do you get this certificate?
 
Comment

pytter

macrumors newbie
Sep 18, 2008
18
0
Different Solution

I have been tearing my hair out over this one and am equally miffed about how to get hold of the certificate, especially as I am using a hosted exchange account.:mad:

I am using Entourage 2008 on a MBP running 10.5.4

The problem arose when I migrated from my old iBook running 10.4

In desperation I dug around the Microsoft knowledge base and found a solution that has worked for me -:) it is very simple:

add "/exchange/user@mail.com" to the end of the exchange server details in the account set-up
Note: user@mail.com is a placeholder for your default SMTP address.

for the complete article from the knowledge base:
http://support.microsoft.com/kb/931350

What a relief!
 
Comment

Lershac

macrumors regular
Feb 21, 2008
247
28
Baton Rouge, LA USA
Thanks!

This issue has been bothering me for some time, and now I find the solution in just casual browsing when searching didnt work. My google-fu must be weak!
 
Comment

Lershac

macrumors regular
Feb 21, 2008
247
28
Baton Rouge, LA USA
I have the same concern/issue as John. Where do you get this certificate?
If in firefox, when firefox complains about the root certificate, add an exception and keep going into the advanced or more dialog boxes, there is an option to view the certificate, and then there is an option to export it. That is how I got mine.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.