This section describes how to configure the GroupWise 6.x and 5.5 enhancement pack client, Groupwise 6.x, Outlook 98, Outlook 2000, and Netscape Messenger to use Novell certificates for secure e-mail. This section also describes how to configure other cryptography-enabled applications to use Novell certificates.
Some of the information in this section is dated but useful. For the latest information on using certificates with your cryptography-enabled applications, refer to the application's documentation.
The general process for enabling applications for secure e-mail is:
Export your Organizational CA's self-signed certificate (see Exporting the Organizational CA's Self-Signed Certificate), your user certificate, and the matching private key to a .pfx file (see Exporting a User Certificate and Private Key).
Import the .pfx file into your e-mail client. See Section 4.9.1, Importing the User Certificate and Private Key into Your E-Mail Client.
Configure your e-mail client to secure your e-mail. See Section 4.9.2, Configuring Your E-Mail Client to Secure Your E-Mail.
Installing a user certificate and private key (a .pfx file) into Internet Explorer automatically makes it available for use by GroupWise and Microsoft Outlook. The reverse is also true. Installing the certificate and private key into either e-mail application automatically makes it available for use by the other e-mail application and by Internet Explorer.
Installing a user certificate and private key into Netscape automatically makes it available for use by Netscape Messenger. The reverse is also true.
Launch GroupWise.
Click
> .Double-click the
icon.Click
.Browse for and select or type the filename of your exported .pfx file.
Enter your password, then click
.Click
if you want to change the default security level for your private key, then click .To select a default certificate to use for sending signed e-mail, you can now either select the check box next to the certificate or select the certificate and click
.Click
.Launch Outlook.
Click
> .Click the
tab.Click
.Select the
radio button.For .pfx file.
, type the filename and password of your exportedFor
, type a nickname. This can be any text.Click
to import the private key and certificate into Outlook 98.This procedure applies to Outlook 2000 with Microsoft Internet Explorer version 5.
Launch Outlook.
Click
> .Click the
tab.Click
.Select the
radio button.For .pfx file.
, type the filename and password of your exportedFor
, type a nickname. This can be any text.If you are prompted to add the Organizational CA certificate to the Root Store, click
.Launch Netscape Messenger.
Click the
icon.Double-click the
icon on the Navigation toolbar.Click
> .Click
. If you password-protected the Communicator Certificate database, enter the password.Type or browse for and select the filename of the exported .pfx file.
Type the password you used to protect the .pfx file.
Click
.The following describes how to configure e-mail clients for secure e-mail.
You must have imported at least one certificate and private key (.pfx file) into GroupWise or Internet Explorer in order to make use of signed e-mail. You must also have a certificate available for each recipient that you want to send encrypted email to.
Launch GroupWise.
Click
> .Click the
tab.Click the
tab.To enable signing as the default for all outgoing email, select the check box next to
. To enable encryption as the default for all outgoing e-mail, select the check box next to .Click
.Double-click the
icon.Select the certificate that you want to use for signing, encryption, or both, then click the
button.If the certificate can be used for both signing and encryption, it is the default certificate used for both signing and encryption. If you have two certificates, one that can only be used for signing and one that can only be used for encryption, the former should be set as the default for signing and the latter as the default for encryption.
From an item view (send mail, post message, task, reminder note, etc.), you can change the default security options for this particular item by selecting
> and clicking the tab. From here you can change the signing and encryption options.From an item view (send mail, post message, task, reminder note, etc.), you can also toggle the selection of either signing or encryption for this particular item by clicking the
or icons at the top of the view.You must have imported at least one certificate and key into GroupWise in order to make use of signed e-mail. You must also have a certificate available for each recipient that you want to send encrypted e-mail to.
Launch GroupWise.
Click
> .Double-click the
icon.Click the
tab.To enable signing as the default for all outgoing e-mail, select the check box next to
. You can then select a different certificate to use from the Certificate drop-down list below this option.To enable encryption as the default for all outgoing e-mail, select the check box next to
, then select the encryption method from the drop-down list below this option. The available encryption methods depend on the security service provider you have selected.To select a different security service provider, select a provider from the
drop-down list, then click .From an item view (send mail, post message, task, reminder note, etc.), you can change the default security options for this particular item by selecting
> and clicking the tab. From here you can change the signing and encryption options.From an item view (send mail, post message, task, reminder note, etc.), you can also toggle the selection of either signing or encryption for this particular item by clicking the
or icons at the top of the view.Launch Outlook.
Click
> .Click the
tab.Click either
or , depending on whether you have previously entered security settings.Select
for the .Click the
button on the line.Select the certificate that you will use for digitally signing e-mail that you send to others, then click
.Click the
button on the line.Select the certificate that others will use for encrypting e-mail that they send to you, then click OK.
Select the
check box, then click .Select the combination of options you prefer in the
section, then click .Launch Netscape Messenger.
Click the
icon.Click the
icon.Click
.Select the certificate you will use for digitally signing your e-mail that you send to others under the
heading.You can select other options as desired on this page. Refer to the Netscape help topics for further information on these options and their purposes.
In order to accept signed e-mail from another person or to create an SSL connection to a server on the Internet with your browser, you must trust the CA that signed the user or server's certificates. If you do not, your application might present you with an error. Some applications provide a warning with the ability to accept or reject the user or server certificate whose CA isn't yet known to the application.
Server and user certificates signed by a company's Organizational CA always generate such warnings and errors. This is because the Organizational CA is not listed as a trusted CA in your application. The warnings and errors can be prevented by installing the self-signed certificate of the Organizational CA into your application.
Installing the Organizational CA into Internet Explorer automatically adds it as a trusted CA to Microsoft Outlook and GroupWise. Installing the Organizational CA certificate into Netscape automatically adds it as a trusted CA to Netscape Messenger.
To accept the Organizational CA as a trusted CA in your application, first export the Organizational CA's self-signed certificate as described in Exporting the Organizational CA's Self-Signed Certificate. Then import it into your browser according to the directions below.
NOTE:The following Internet browsers only recognize certificates that have been exported in .der or a .crt format. Although .b64 is an optional export format, it is not recognized by these Internet browsers.
If you are using Microsoft Internet Explorer version 5, complete the following to import the Organizational CA's certificate:
Launch Microsoft Internet Explorer.
Click
> .Type or browse for and select the filename of the exported Organizational CA's self-signed certificate, then click
.This opens the Certificate dialog box.
Select
.This opens the Certificate Manager Import Wizard.
Click
.Select the area where you want to store the certificate, click
, click , then click .If you have installed either Microsoft Internet Explorer 5.x or NT 4 Service Pack 4 or later on your workstation, you must complete the following steps to import the Organizational CA's self-signed certificate into Netscape Navigator. This is necessary because the Microsoft products intercept opening trusted root files with a .crt or .der extension.
Run the x509.reg file to install the X.509 extension. On an NT\2000 server, this file is located in the drive_letter:novell\nds directory.
Rename the Organizational CA's self-signed certificate file with an X.509 extension.
Launch Netscape Navigator.
Click
> .Enter or browse for and select the filename of the self-signed certificate with the X.509 extension.
Click
.The New Certificate Authority dialog box should appear. If it doesn't, you have not correctly installed the .x509 extension, or you have not correctly renamed the self-signed certificate.
Follow the wizard. Make sure that the
check box is selected.Click
until the dialog box to enter a short name for this Certificate Authority appears.Click
.If you have not installed either Microsoft Internet Explorer 5.x or NT 4 Service Pack 4 or later, you must complete the following steps to import the Organizational CA's certificate into Netscape Navigator:
Launch Netscape Navigator.
Select
> .Enter or browse for and select the filename of the self-signed certificate you previously exported.
Click
.Follow the wizard. Make sure the
check box is selected.Click
until the dialog box to enter a short name for this Certificate Authority appears.Click
.To configure IE to use Novell certificates for SSL, you must first install your self-signed Organizational CA certificate in your IE browser, as described in Configuring Your Browser or E-Mail Client to Accept Certificates. Otherwise, any attempt to use IE to connect to a server that is using Novell certificates for SSL only displays an error.
This configuration is not strictly necessary for the Netscape browser, which will present a dialog box for you to accept or reject a server certificate whose CA isn't yet known to the browser.
To perform client authentication to IIS with Novell user certificates, your self-signed Organizational CA certificate must first be installed in IIS as a trusted root. Use Microsoft Internet Explorer (IE) version 4 or later to install your Organizational CA certificate on the IIS computer as described in the IIS online documentation.
However, the IISCA program described in the IIS documentation does not work on Windows NT with Service Pack 4 or later. In this case, when you use IE to install the certificate and the Certificate Manager Import Wizard has started, perform the following to complete the process correctly:
Select
.Click
to open the dialog box.Select the
check box.Expand
and select .Click
> to open the summary page.Verify that the summary displays
and .Click
.Stop and restart the IIS services after installing your Organizational CA certificate.
For further information, refer to Microsoft Knowledgebase articles Q218445 and Q216339.
When using the IIS management tools to create an SSL key pair and certificate signing request (CSR), select
> .Then edit the IIS CSR to delete all text that precedes the line:
----- BEGIN NEW CERTIFICATE REQUEST -----
This line must be the first line in the CSR input to the Novell Certificate Server. Refer to the IIS online documentation for further instructions on installing the resulting server certificate and configuring IIS for SSL.
You can then use your Organizational CA to issue a server certificate from the IIS CSR as described in Issuing a Public Key Certificate.