Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Installing SSL certificate?
  •  
mrshermanoaks

Messages: 35
Karma: 0
Send a private message to this user
OK, I've tried to find an answer in the documentation and can't seem to locate it. I'm trying to get an issued SSL certificate as opposed to the self-signed one we've been using. Some mail servers have had trouble connecting to our SMTP server to deliver mail. Using Kerio 6.0.8

Using the Mail Admin application, I go to SSL Certificates, and select New Certificate Request. I enter the basic information into the form, and then export the private key and the request to disk files.

I went to Thawte to request a free 3-week trial certificate, and it asked me for the request, so I pasted in the contents from the request I saved above. Thawte responded with certificate code, which I copied and saved into a certificate file.

I went back to Kerio and selected "Import Certificate", and when prompted I selected the private key file I had originally saved, as well as the certificate file I had saved from Thawte. Kerio then showed me a new certificate. I selected "Set as Active", then stopped and started the mail service.

The message I get when I try to connect from my mail client is still that there's a problem: "There is no root certificate for this server". I'm not sure if that's a problem because this is a test certificate, or if there's something else that I'm supposed to be doing.

Did I miss something?
  •  
mrshermanoaks

Messages: 35
Karma: 0
Send a private message to this user
  •  
Dr.Bob

Messages: 57
Karma: 0
Send a private message to this user
I've had a similar issue with my cert (also Thawte, the 123SSL cert) and that was caused by the way Thawte distributed the cert: in stead of having ONE cert to install, I needed to import a separate 'Intermediate Root' cert as well. But this wasn't going to work with KMS ....

~ BTW, the issue I had was that it worked fine on WinXP, in IE and OutlookExpress, but had ssl-errors (can't verify blahblahblah) in Firefox and with Apple software.

So, asked Thawte support about this, and they took care of it by letting me reissue my cert, and then I got a so called Primary Root CA instead of the Intermediate. Which workes perfectly fine now, in all mail clients, in all web browsers and all platforms (let's say all that I tested or have clients with).

Hope this helps!
  •  
mrshermanoaks

Messages: 35
Karma: 0
Send a private message to this user
Thanks for the tip, I'll give that a try.

For all the great things I've had to say about Kerio Mail Server, I've been trying for months now to figure out how to install a signed SSL certificate and have gotten nowhere. Granted I haven't bothered to contact tech support yet (except for this forum). But the rest of the server is so easy to configure, I don't know why this one part is so hard.

And what should I be looking for in terms of SSL for just the mail server domain? Thawte's SSL123 certificate is $149/yr, QualitySSL for $129, and GoDaddy has them for $30. What do I need for my mail server if it's just for mail.mydomain.com?

If there's a FAQ for all this stuff, I'd love to see it!
  •  
Dr.Bob

Messages: 57
Karma: 0
Send a private message to this user
If it's just for your own personal use or a small group of collegues, friends or whatever, I'd say: go with the cheapest as long as they support the browsers/mail clients you use (check their site or support dept!)

If you're running a mailserver and want to support most possible browsers en mail clients, go with Verisign or Thawte, they have the broadest support, also for older browsers and mail clients. And then I think Thawte's 123ssl is very good for it's price, and my contact with Thawte's support has also been good enough.

I believe there are some comparisons on the net between de various suppliers -

Good luck!
  •  
mrshermanoaks

Messages: 35
Karma: 0
Send a private message to this user
We've been using a self-signed cert for the last year, but there are some other mail servers that cannot connect properly to our SMTP server, citing SSL errors. And we host some mail for others, we get complaints about the dialogs.
  •  
mrshermanoaks

Messages: 35
Karma: 0
Send a private message to this user
Ended up getting a certificate from Thawte, their SSL123 for $149. Once you buy the cert, it works fine (regarding the previous message). I didn't have any of the trouble that Dr. bob mentioned...

But its disappointing that I can't seem to just buy a certificate from any vendor. I was looking at working with InstantSSL and QualitySSL, both of which were cheaper, and was told that they weren't compatible. I just wish Kerio made it more clear what was compatible and what wasn't, I don't think that's asking so much.
  •  
Smilin

Messages: 1
Karma: 0
Send a private message to this user
With Regard to Intermediate Certificates (which is how I found the above) and after a few hours of mucking around..

If you are using an authority that needs an intermediate certificate (I use Thawte which started to require these a while ago) there is no obvious way of getting this into Kerio as the Import SSL function requires both a Key (unavailable, hence the problem I was having) and a certificate (available from Thawte).

So, you have 2 options (one I tried one I am told will also work)

1 - Get the intermediate certificate (for your flavour of OS) and name it the same as the SSL that is installed and active from SSL's within Kerio Admin (mine was server2 as this is the third SSL on this box for kerio)and save in the folder sslca (so my name was server2.cer), restart Kerio - This just worked for me!

2 - The other way is to open up the active SSL in folder sslcert in notepad etc and paste the intermediate certificate AFTER the whole of the active SSL (so there will be 2 START and END certificates), I have not tried this but apparently it is good.

Hope that helps you!
Previous Topic: 7.2 and Open Directory
Next Topic: Out of Office with CalDAV/iCal
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 26 07:56:35 CET 2014

Total time taken to generate the page: 0.06080 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.