Maybe this is
your first time you have come across certificates, SSL and the other
related jargon, and it’s confusing you. Don’t worry! This HOWTO
is here to help – read on!
By following the steps outlined here
you will end up with a Free Trial SSL certificate from a trusted
Certification Authority, allowing you to test the SSL functions of
your server.
This tutorial
uses the well known Certificate Authority VeriSign, but most
Certificate Authorities, such as Thawte and GeoTrust, also have free
trial certificates. The only difference will be the ordering process.
There is a list of the most well-known Certificate Authorities the
end of this article.
A free Trial SSL
Certificate from VeriSign has a 14 day validity period. This should
be plenty of time to evaluate it’s use and usefulness on Icewarp
Server, and to familiarize yourself with the broader issues of SSL
certificates.
There are 4 steps
to get a signed certificate:
Generating CSR (Certificate
Signing Request) and Private Key
Sending to CSR to the CA
(Certificate Authority, VeriSign in this HOWTO).
Merging Signed Certificate from
the CA with your Private Key.
Installing the merged
certificate into Icewarp Server
1) Generating CSR (Certificate Signing Request) and Private
Key
First you should generate 2 files – your Private Key
and the CSR. Your Private Key should be stored in a safe place, and
the CSR will be sent to the Certificate Authority for signing.
Remember, the Private Key is
secret and you should never ever publish it to anyone!
There are many ways to generate the
Private Key and CSR files but the most convenient is probably to use
Icewarp Server's built-in tool.
Open the Administration console and go
to Certificates – Server Certificates.
Press “Create Server Certificate...”
button and complete the following fields
Common name – use your mail server domain name
Tick the “Certificate Signature Request” - otherwise
Icewarp Server will generate a self-signed public key instead of the
CSR
Private key file – path to file where your Private Key will
be stored
Public key / CSR file – path to file where your CSR file
will be stored
Both files will be generated in .pem
format.
2) Sending CSR to CA - Certification
Authority - VeriSign in this tutorial
The CSR now needs to
be sent to the Certificate Authority. The CA will check the request,
digitally sign it with their certificate, and send it back. Because we are only requesting the Free
Trial the checking procedure is simple and the signed certificate
will be send back promptly. When you are buying the "real"
certificate the checking procedure is much more deep - you need to
prove you are owner of the domain, a member of company etc..
Go
to the VeriSign page
and follow their wizard.
You will be asked for contact
information – make sure you use a real email address because they
will send the signed certificate to that address.
When you are
asked for your CSR you should cut and paste the content of the CSR
file you generated. You can open the file with any text-based editor
Choose a challenge phrase (password)
for your certificate. This challenge phrase is used when you want to
renew, revoke or make changes to the certificate.
Confirm the information you provided
and the signed certificate will be sent to the email address you
provided.
3) Merging the Signed Certificate from
Certificate Authority with your Private Key
The email
message from support@verisign.com contains information what to do
next. You need to install Verisign
certificates in your browser.
Follow the link
.
Copy and paste the certificate into file TrialRoot.crt.
If you are using Windows/IE browser you
can double-click the certicate to install it. If you are using Firefox then you can
install the certificate by going to Tools – Option – Advanced –
Encryption – View certificates – Import.
Once done all certificates signed by
Verisign's Trial Certificate Authority will be considered as trusted
by your browser. (This step is not necessary when you
purchase a non-trial certificate)
Now you will merge your Private Key and
signed certificate from Verisign into a destination file, we will use
“mycert.pem”
You will need:
The signed public key is inside the
email from Verisign.
Copy and Paste it to file public.pem.
The private key you created earlier.
Open the command line and run this
command to join both files into the final “mycert.pem”:
copy private.pem +
public.pem mycert.pem
Now you have your certificate file,
which contains both the private and public keys for your Icewarp
Server.
4)
Installing the merged certificate into Merak
Now you have
your signed certificate (in mycert.pem) you need to add it to Icewarp
Server.
Open the
Administration GUI and go to the System - Certificates - Server
Certificates tab. Click the
Add... button to add the certificate.
Insert the
IP address that this certificate is intended for – this is the IP
address that your users are directed to when they access your server.
You can run the ipconfig //all command from the command line
to see your server IP address.
Insert the
fully qualified name of the certificate file – you can use the ‘…’
button to browse to it.
To
apply the new certificate you should restart the Web/Control service
You can test your new certificate by trying to
access webmail from your browser:
Access
https://mail.yourdomain.com:32001/webmail. Make sure
you use secured http - https instead of http. The default
SSL port is 32001.
List of CA - Certification
Authorities:
Comodo
DigiCert
GeoTrust
GoDaddy
Network
Solutions
Thawte
VeriSign
