Outlook users getting certificate warning

[GaryC]

All of my outlook users are getting a server certificate warning.
We have a mix of outlook clients that include outlook 2002, 2003, and 2007.
We are not using the outlook connector but are accessing the Zimbra mail server via pop3 with ssl for incoming on port 995. When the users open outlook they are getting this warning

"The server you are connecting to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Do you wish to continue using this server? Yes No"

I have added the server to the trusted sites in the Internet Options (Intranet) but did not solve. I have been reading a lot of stuff from the web but it all has to do with Exchange and Outlook. The certificate has not expired and was created from the SUSE/Zimbra mail server in our local domain. Can someone please help me figure out how to stop this pop up. It is not causing any problems with users receiving their mail as long as they click yes. It is just an annoyance.

This was not a problem for our Thunderbird users, we just select accept always and it went away. I wish all my users would use Thunderbird.

[y@w]

Outlook is displaying that because your certificate is probably self-signed. You can either install a commercial certificate or here's an example of how to force Windows to accept the certificate: Microsoft Supportability e-Newsletter : Self-Signed Certificate issue when connecting to the exchange server

[GaryC]

The MS site that you point to may work if you are running Vista and using outlook for web clients. We are using XP pro and regular outlook clients and do not have the option to download and automatically install the self signed certificate. My question still stands how do I get this done.

What ca file do I need to bring from the Zimbra server to the XP client or cell phone and how to I install it?

[penbrock]

I have the same issue, was the fix ever found?

[GaryC]

The only solution that we have found is to purchase a certificate from a known authority. Outlook will not accept self signed certificates. Neither will Smart phones/Blackberry's.

If you find a way around this please let me know.

GaryC

[YetiRick]

I know this is too late to help any of the old posters, but it may help other with the same question...

Assuming the Zimbra devs don't move the file, the command:

openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -outform DER -out ca.der

will generate the CA root certificate you need in order for Windows to import it properly. You can then copy the resulting ca.der file to your Windows box and double-click it (or import it using the wizard.) It will install into the "Trusted Root Certification Authorities" section of your certificates window. Outlook and HTTPS webmail will no longer generate those annoying errors.

Please keep in mind that if the Zimbra CA is pre-generated and not generated at the time of installation, this will open you up to misidentified sites that sign their own certs with the same CA. I don't know if this is the case or not, but would recommend building your own CA if you're unsure.

[SOLVED] Rolling Your Own CA and Installing Certificates in Zimbra

will get that done for you. And you won't have to guess at which ca.pem file to use.