Create Signed SSL Certificates - VisNetic and IceWarp Mail Server

Article Details
URL: https://support.deerfield.net/support/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=477
Article ID: 477
Created On: Oct 05, 2005 04:33 PM

Answer This article applies to VisNetic Mail Server and IceWarp Mail Server

Creating a signed certificate from a trusted authority, such as, GoDaddy, Verisign, Digicert, etc... will eliminate the warning message associated with the certificate included with VisNetic MailServer. The included certificate will not match your domain and will not be trusted by a Certificate Authority (CA). Finding a trusted authority requires a little research on your part by researching available resources. Once you find an authority you want to do business with you can follow the steps outlined in this article to request the certificate and install the certificate into VisNetic MailServer.

We provide a tool that allows you to create a CA request. When a request is created, you can send it to the CA for signing.

This tool can be downloaded from here:

ssl_signed_cert.zip

Extract the zipped contents of the downloaded file to a temporary location and perform the following steps (also described in the readme.htm file).

Requesting a certificate from a CA:



Note: You should see a new cert.pem that gets created after this process. This file contains your private key and will be used after you receive your certificate.

Send the file certificate_request.csr to the CA, (e.g. VeriSign or Thawte), open with any text editor to copy the certificate request and then paste into the request certificate field.

Note: If you use VeriSign, select server NOT listed in the Server type field. Selecting "Server not listed" creates a certificate that does not include an intermediate certificate. If you can avoid using an intermediate certificate fewer steps are required to install the final certificate into VisNetic MailServer, however, it's still possible to use intermediate certificates, see additional steps below.

Once you receive the signed certificate from the CA, follow these steps.

Creating the final cert.pem file:

Save the file from your CA to the directory of this utility, or copy it from the email and save to a text file and run this command from DOS:

copy cert.pem + cert_file_from_ca.cert cert.pem

Move or copy the final cert.pem file to the VisNetic MailServer\config\ directory.

Stop and start all VisNetic MailServer services to load the new cert.pem file.

Note: Editing the final cert.pem file with a text editor will show that the top half contains the private key and then the beginning and end of the certificate. The size of the private key and the certificate should be very similar, this usually indicates that you have the correct certificate. If the certificate is significantly larger than the private key you probably have a certificate that contains the intermediate certificate. If so, you need to contact your CA and request a certificate that does not contain the intermediate certificate or follow these steps to export the intermediate certificate.

Export Intermediate Certificate for use in VisNetic MailServer's final cert.pem:

From any computer, usually the VisNetic MailServer computer, you go to Start - Run and type 'mmc', without the quotes. Select File, Add/Remove snap-in, then press add, select Certificates, press add, select Computer account, press next, select local computer and press Finish. Close the Add snap-in window and press OK to the snap-in window to display the Certificates snap-in. From here you can import the certificate from your CA. After the import you can select the Intermediate Certificate and export it to pkcs12 format. You can also do the same for the CA certificate.

Copy the certificate(s) to a location easily accessible to the Open SSL converter. Convert the certificate(s) to pem format using the following command,

Openssl pkcs12 -in infile -out temp_cert.pem -nodes

Note: infile = the location of your exported pkcs12 file.

Copy the contents of the temp_cert.pem file (open with text editor, select all, copy). Open the final cert.pem file and paste to the bottom making sure you don't change or remove other parts of the cert.pem file. Save cert.pem to the VisNetic MailServer \config\ folder and restart the services. You should have three sections in the final cert.pem file, one for the private key and two certificates, for example,

-----BEGIN RSA PRIVATE KEY-----
[lines of text]
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
[lines of text]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[lines of text]
-----END CERTIFICATE-----

How to handle multiple domains

Are you using SSL for more than one domain?

Are you planing on having each domain use their own domain name for access to their webmail?

If you answered yes to either of those questions you need a different certificate for each domain and each domain will need to be bound to a different IP on the mail server computer. Then you assign unique names to each certificate, save them to the \config\ folder, and assign each file (domain1_cert.pem) to the domain under System - Certificates - Server Certificates - Add.

To summarize, you have two options with multiple domains.

1. You use the same cert for all domains and everyone uses your_domain.com for SSL login to Webmail, POP3, IMAP, etc... One cert.pem is located in the \config\ folder.

2. You purchase signed certificates for each domain. Each domain is bound to a unique IP. Each domain has a unique name for the cert (domain1_cert.pem). Each domain is assigned an IP and certificate under System - Certificates - Server Certificates - Add. Example,

domain1.com = 192.168.0.1 = ..\config\domain1_cert.pem
domain2.com = 192.168.0.2 = ..\config\domain2_cert.pem
domain3.com = 192.168.0.3 = ..\config\domain3_cert.pem