Chapter 16  Server's Certificates

Table of Contents

16.1  Kerio MailServer Certificate
16.2  Install certificates on client stations

The principle behind secure services in Kerio MailServer (services encrypted by SSL — e.g. HTTPS, IMAPS, POP3S, etc.) is that all communication between the client and the server is encrypted to protect it from tapping and to prevent it from misuse of transmitted information. The SSL encryption protocol used for this purpose uses an asymmetric cipher first to exchange a symmetric key.

The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting. As their names suggest, the public (encrypting) key is available to anyone wishing to establish a connection with the server, whereas the private (decrypting) key is available only to the server and must remain secret. The client, however, also needs to be able to identify the server (to find out if it is truly the server and not an impostor). For this purpose there is a certificate, which contains the public server key, the server name, expiration date and other details. To ensure the authenticity of the certificate it must be certified and signed by a third party, the certification authority.

Communication between the client and server then follows this scheme: the client generates a symmetric key and encrypts it with the public server key (obtained from the server certificate). The server decrypts it with its private key (kept solely by the server). This method ensures that the symmetric key is known only to the server and client.

Note: To secure Kerio MailServer as much as possible, allow only SSL-secured traffic. This can be set either by stopping all unencrypted services (see chapter 6  Services) or by setting appropriate security policy (refer to chapter 12.6  Advanced Options). Once the server is configured, it is necessary to install a certificate (even a self-signed one) or certificates on clients of all users using Kerio MailServer's services.