To find out how these principles work in practice, look at Secure HTTP. Web browsers can display certificate information, as opposed to other services, where such information will not be revealed.
When Kerio MailServer (version 6.0 and above) is run for the first time, it generates the self-signed certificate automatically. It is saved in the server.crt
file in the sslcert folder where Kerio MailServer is installed. The second file in this directory, server.key
, contains the server's private key.
If you attempt to access the Secure HTTP service immediately after installing Kerio MailServer a security warning will be displayed with the following information (depending on your browser, name of the computer, etc.):
The certificate was not issued by a company defined as trustworthy in your configuration. This is caused by the fact that the certificate is self-signed. This warning will not be displayed if you install the certificate (you can do this because you know the certificate's origin).
The certificate date is valid (the certificate is valid for a certain limited period, usually 1-2 years).
The name of the certificate does not correspond with the name of the server. The certificate is issued for a certain server name (e.g. mail.company.com
), which you must also use in the client (this certificate has been issued for a fictitious name keriomail
).
Now, there are two options. One is to keep in Kerio MailServer the self-signed certificate generated during the mailserver's installation, the other option is to get a certificate authorized by a certification authority. It should be possible to install both types of certificates on client stations. In both cases, it is necessary that the certificate is maintained in the Kerio MailServer's section (see figure 16.2 SSL Certificates).
In SSL certificates, it is possible to create certificates, generate certificate demands for certification authorities as well as export certificates. Here is an overview of all options:
Click on server.crt
and server.key
files are created under sslcert
.
The certificate you create will be original and will be issued to your company by your company (self-signed certificate). This certificate ensures security for your clients as it explicitly shows the identity of your server. The clients will be notified by their web browsers that the certification authority is not trustworthy. However, since they know who created the certificate and for what purpose, they can install it. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.
If you wish to obtain a “full” certificate you must contact a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The process of certification is quite complex and requires a certain expertise. Kerio MailServer enables certification request that can be exported and the file can be delivered to a certification authority.
Attention: A new certificate will be used the next time Kerio MailServer Engine is started. If you wish to use it immediately, stop the Engine and then start it again.
The New certificate option) or to demand on a new certificate (New certificate request). You will be asked to specify entries in the Generate Certificate dialog. The Hostname and Country entries are required fields.
button can be used to create a new certificate (theHostname — name of the host on which Kerio MailServer is running.
Organization Name — name of your organization.
Organization Unit — will be used only if the organization consists of more than one unit.
City — city where the organization's office is located.
State or Province — state or province where your organization has its office(s).
Country — this entry is required.
Select a certificate and click on the
button to get details about the selection.Use this button to import a new certificate, regardless if certified by a certification authority or not.
Use this button to export an active certificate, a certification request or a private key. Using this option you can send an exported certificate request to a certification authority.
Using this button you can remove a selection (a certificate or a certification request).
Use this button to set the selected certificate as active.
Kerio MailServer allows authentication by so called “intermediate” certificate. To make authentication by these certificates work, it is necessary to add the certificates to Kerio MailServer by using any of the following methods:
Add the “intermediate” certificate file to the /sslca
directory and copy the server's certificate with the private key to the /sslcert
directory. Both directories can be found in the directory where Kerio MailServer is installed.
Remote import can be performed as follows:
Open the server's certificate and the “intermediate” certificate in any text editor.
In the “intermediate” certificate, select the certificate's string and copy it to the server certificate file next to the string of the server certificate. The certificate file should then be as follows:
-----BEGIN CERTIFICATE----- MIIDOjCCAqOgAwIBAgIDPmR/MA0GCSqGSIb3DQEBBAUAMFMxCzAJBgNVBAYTAl MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMR0wGwYDVQ ..... this is a server SSL certificate ... ukrkDt4cgQxE6JSEprDiP+nShuh9uk4aUCKMg/g3VgEMulkROzFl6zinDg5grz QspOQTEYoqrc3H4Bwt8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDMzCCApygAwIBAgIEMAAAATANBgkqhkiG9w0BAQUFADCBxDELMAkGA1UEBh WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR ..... this is an intermediate SSL certificate which signed the server certificate... 5BjLqgQRk82bFi1uoG9bNm+E6o3tiUEDywrgrVX60CjbW1+y0CdMaq7dlpszRB t14EmBxKYw== -----END CERTIFICATE-----
Save the certificate.
Open the Kerio Administration Console and go to the section referring to SSL certificates.
Import the server's certificate by using the
option.