16.1  Kerio MailServer Certificate

To find out how these principles work in practice, look at Secure HTTP. Web browsers can display certificate information, as opposed to other services, where such information will not be revealed.

When Kerio MailServer (version 6.0 and above) is run for the first time, it generates the self-signed certificate automatically. It is saved in the server.crt file in the sslcert folder where Kerio MailServer is installed. The second file in this directory, server.key, contains the server's private key.

If you attempt to access the Secure HTTP service immediately after installing Kerio MailServer a security warning will be displayed with the following information (depending on your browser, name of the computer, etc.):

Security Alert

Figure 16.1. Security Alert


Now, there are two options. One is to keep in Kerio MailServer the self-signed certificate generated during the mailserver's installation, the other option is to get a certificate authorized by a certification authority. It should be possible to install both types of certificates on client stations. In both cases, it is necessary that the certificate is maintained in the Kerio MailServer's Configuration → SSL certificates section (see figure 16.2  SSL Certificates).

SSL Certificates

Figure 16.2. SSL Certificates


In SSL certificates, it is possible to create certificates, generate certificate demands for certification authorities as well as export certificates. Here is an overview of all options:

New...

Click on New to specify information about your server and your company. When confirmed, the server.crt and server.key files are created under sslcert.

The certificate you create will be original and will be issued to your company by your company (self-signed certificate). This certificate ensures security for your clients as it explicitly shows the identity of your server. The clients will be notified by their web browsers that the certification authority is not trustworthy. However, since they know who created the certificate and for what purpose, they can install it. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.

If you wish to obtain a “full” certificate you must contact a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The process of certification is quite complex and requires a certain expertise. Kerio MailServer enables certification request that can be exported and the file can be delivered to a certification authority.

Attention: A new certificate will be used the next time Kerio MailServer Engine is started. If you wish to use it immediately, stop the Engine and then start it again.

The New button can be used to create a new certificate (the New certificate option) or to demand on a new certificate (New certificate request). You will be asked to specify entries in the Generate Certificate dialog. The Hostname and Country entries are required fields.

Certificate Creation

Figure 16.3. Certificate Creation


  • Hostname — name of the host on which Kerio MailServer is running.

  • Organization Name — name of your organization.

  • Organization Unit — will be used only if the organization consists of more than one unit.

  • City — city where the organization's office is located.

  • State or Province — state or province where your organization has its office(s).

  • Country — this entry is required.

View Certificate

Select a certificate and click on the View Certificate button to get details about the selection.

Import...

Use this button to import a new certificate, regardless if certified by a  certification authority or not.

Export...

Use this button to export an active certificate, a certification request or a private key. Using this option you can send an exported certificate request to a certification authority.

Remove

Using this button you can remove a selection (a certificate or a certification request).

Set as active

Use this button to set the selected certificate as active.

Intermediate certificates

Kerio MailServer allows authentication by so called “intermediate” certificate. To make authentication by these certificates work, it is necessary to add the certificates to Kerio MailServer by using any of the following methods:

Locally

Add the “intermediate” certificate file to the /sslca directory and copy the server's certificate with the private key to the /sslcert directory. Both directories can be found in the directory where Kerio MailServer is installed.

Remotely via the Kerio Administration Console

Remote import can be performed as follows:

  1. Open the server's certificate and the “intermediate” certificate in any text editor.

  2. In the “intermediate” certificate, select the certificate's string and copy it to the server certificate file next to the string of the server certificate. The certificate file should then be as follows:

    -----BEGIN CERTIFICATE-----
    MIIDOjCCAqOgAwIBAgIDPmR/MA0GCSqGSIb3DQEBBAUAMFMxCzAJBgNVBAYTAl
    MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMR0wGwYDVQ
         ..... this is a server SSL certificate ...
    ukrkDt4cgQxE6JSEprDiP+nShuh9uk4aUCKMg/g3VgEMulkROzFl6zinDg5grz
    QspOQTEYoqrc3H4Bwt8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDMzCCApygAwIBAgIEMAAAATANBgkqhkiG9w0BAQUFADCBxDELMAkGA1UEBh
    WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR
         ..... this is an intermediate SSL certificate which 
               signed the server certificate...
    5BjLqgQRk82bFi1uoG9bNm+E6o3tiUEDywrgrVX60CjbW1+y0CdMaq7dlpszRB
    t14EmBxKYw==
    -----END CERTIFICATE-----
    
  3. Save the certificate.

  4. Open the Kerio Administration Console and go to the section referring to SSL certificates.

  5. Import the server's certificate by using the Import → Import new certificate option.