Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Comodo and InstantSSL certificates
  •  
bigmountain

Messages: 116

Karma: 0
Send a private message to this user
Is anyone using any of these certificates with KMS 6.5? If so, how well are they working with mobile phones? I ordered one and received the root certificate, intermediate certificate and then my server certificate. I read from some other posts that mobile phones do not play well with any certificates that require an intermediate certificate. I just wanted to hear from some users and get their real world experience using Comodo/InstantSSL certs with KMS before I upload this certificate to the server. Currently, I am using Thawte and works pretty well, but I signed on as a web host reseller for Comodo and they provided me this certificate free as part of my reseller package and I'd like to use it possible. Thanks!

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
  •  
cthomas

Messages: 81
Karma: 0
Send a private message to this user
I just bought a Comodo cert and am having problems with it as well. I got it installed into KMS OK but browsers are balking at it and throwing up error messages. I haven't had time to figure out why yet.

- C. Thomas
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
If you bought a server certificate as well as an intermediate certificate, both of them must be installed on KMS. This is documented in the manual. If you skip the intermediate certificate on KMS, the certificate chain will be incomplete and the client will complain.

cthomas: figuring out why a browser doesn't want a certificate takes about eight seconds. Usually, the cert chain is broken, meaning either your browser doesn't recognize the root certificate (CA cert), or the intermediate certificate is missing from the server.

The former is usually fixed by updating the rot certificate store on Windows Update, or manually downloading and installing the root cert from comodo.
  •  
cthomas

Messages: 81
Karma: 0
Send a private message to this user

Well, thank you very much for that snarky comment but not everyone is an SSL expert like yourself. Once I spent a little time looking into it, yes, it was obvious that what I needed was a root certificate.

Unfortunately Comodo issues a ca-bundle which contains the root and intermediate certificates combined and then offers instructions on how to modify the httpd.conf file to reference the bundle. There is no mention of ca-bundle files in the Kerio manual.

That is were I am at the moment. I opened a trouble ticket with Comodo to try to get the root.crt outside of the .ca-bundle. And tomororw I will look for the httpd.conf file inside Kerio. Do you know where that is?

- C. Thomas
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
cthomas wrote on Thu, 26 March 2009 22:58


Well, thank you very much for that snarky comment but not everyone is an SSL expert like yourself. Once I spent a little time looking into it, yes, it was obvious that what I needed was a root certificate.

Unfortunately Comodo issues a ca-bundle which contains the root and intermediate certificates combined and then offers instructions on how to modify the httpd.conf file to reference the bundle. There is no mention of ca-bundle files in the Kerio manual.

That is were I am at the moment. I opened a trouble ticket with Comodo to try to get the root.crt outside of the .ca-bundle. And tomororw I will look for the httpd.conf file inside Kerio. Do you know where that is?

- C. Thomas


Installation of intermediate certificate is pretty straightforward and well documented at http://www.kerio.com/manual/kms/en/sect-kmscert.html

Simply copy all .crt files (both intermediate and root SSL certificate) to the sslca directory. Root certificate has to be imported also on all clients (if not present in operating system).
Comodo intermediate and root certificate can be downloaded from Comodo website: http://www.instantssl.com/ssl-certificate-support/cert_insta llation/ssl-certificate-index.html
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
cthomas wrote on Thu, 26 March 2009 22:58



That is were I am at the moment. I opened a trouble ticket with Comodo to try to get the root.crt outside of the .ca-bundle. And tomororw I will look for the httpd.conf file inside Kerio. Do you know where that is?

- C. Thomas



I guess the .ca-bundle is a combined file with intermediate certificates i PEM format. In such case, just simply rename the file to ca-bundle.crt and place it to the sslca directory. You can verify that all certificates are correctly loaded by enabling SSL and Network Connection debugging in KMS debug log. It displays necessary info during KMS start.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
cthomas wrote on Thu, 26 March 2009 22:58


Well, thank you very much for that snarky comment [...]


Sorry it came across as snarky. It wasn't meant that way.
  •  
cthomas

Messages: 81
Karma: 0
Send a private message to this user

Don't worry about the snarkiness, I have come to learn that it is a common misunderstanding on this board.

Anyway, I got the Comodo certs working, I think. I sent in a support request to Comodo and and they sent back all the root and Intermediate certificates. I put them all in the correct folders I think, at least Firefox doesn't complain when I turn them on briefly.

Once I get the .crt installed on all my clients I'll turn it on permanently and we'll see what happens.

- C. Thomas
Previous Topic: KOFF SQL & Outlook Errors
Next Topic: Leopard iCal Issues
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 06:13:46 CET 2017

Total time taken to generate the page: 0.00473 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.