Where do I get the special Xojo certificate file for SSL ?

Greetings,

The docs for the SMTPsecure Socket indicate I need a special certificate file containing both a private key and a certificate.

Where do I get one of these from ?

Regards,
Tony Barry
Sydney

From the guys running your mail server?

And normally you only use the chain of certificates for the certificate your server uses.

This way I make sure my client only accepts certificates from my root certificate and not some fake one.

Thank you Christian. I may need to explain more.

I already have an certificate which lives in my Xojo Cloud account, and which lets me run https to the domain in question.

But there seems to be another certificate required (?) which will live (somewhere ?) perhaps in the cert folder, perhaps with the web app I am developing. This cert contains a private key as well as a certificate.

It makes me very uneasy having a private key living on the web. That seems to me to be just asking for trouble. But I am sure that somewhere, there is an explanation for this; a description of the structure, and a method statement to make it all make sense.

If I understand it correctly, and I may not, the private key is provided by the CA who operates the email server i wish to communicate with securely. With that key I can collect and send email using smpts.

The certificate and private key are used to confirm the public key the email server sends me.

Now where should these items live ? and how should I acquire them ? Christian suggests I should ask the hosting provider for the email service.

I shall advise on how I go with this request. I suspect I won’t get anywhere, the tech support guys will think I want an SSL certificate but I am pretty sure that does not look like what I want. If I am wrong, please let me know.

Regards,
Tony Barry
Sydney

Well, I send myself with my CURL plugin like in this example:
http://www.monkeybreadsoftware.net/example-curl-sendemail-olderexamples-curlssendemailwithssl.shtml

But I use

curl.OptionPort = c.Port curl.OptionSSLVerifyHost = 2 curl.OptionSSLVerifyPeer = 1 curl.OptionCAInfo = c.CertificateFile.NativePath curl.OptionUseSSL = curl.kFTPSSL_ALL curl.OptionSSLVersion = curl.kSSLVersionTLSv12

where the certificate file contains the root certificate, the middle certificate and my email server certificate. No private key required.

Hi Christian,

I really appreciate your comments.

Could you look at the cert you reference with c.certificateFile.NativePath and confirm that it has the same structure as this post references :-

https://forum.xojo.com/24426-adding-ssl-on-standalone-mac-webapp/0#p203488

which is :-

——BEGIN CERTIFICATE-----
MIICuzCCAiQCCQD+1X0TfzZ2qDANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMC
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDwYlw8zNP876/zHiGgCKTPvBAaEup41p67q7S8NoLSUnbkcnix
-----END RSA PRIVATE KEY-----

For obvious reasons the above is not a complete .crt but it should make clear how it should look.

The cert folder on my Xojo Cloud account contains four files, being
intermediate.crt
server.crt
server.csr
server.key

Regards,
Tony Barry
Sydney

for me it is:

-----BEGIN CERTIFICATE-----
MIIEzzCCA7egAwIBAgISESEMuRFKRArF+nfLl65xeHWEMA0GCSqGSIb3DQEBCwUA

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG

-----END CERTIFICATE-----

just the certificates in use.

You only need a private key when using a client side certificate, but I don’t use that.

If you are using SMTP as a client, you absolutely should not have the server’s private key. That doesn’t make any sense.

SMTPSecureSocket does not do server verification or validation. You can use a self-signed certificate on the server, and the client will connect fine. Though a “proper” client will complain about that.

But in client mode, none of this matters unfortunately. The connection is encrypted, but nothing more.

A big thank you to Christian and Thom. Your efforts are greatly appreciated. My email server provider has died since last night, and I must wait some more time to find out the answers. But thank you for your efforts.

Regards,
Tony Barry
Sydney