Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SSL certificate
  •  
samroy

Messages: 5
Karma: 0
Send a private message to this user
Hi,

I would like to know if it is necessary to import/install the new ssl certificate when the old one expires? Probably the answer is yes but I would like to know.

And, if we get a verified certificate (Verisign or whatever..) do we have the same problem.

To finish, is there a way to import/install the certificate in batch? I mean, to distribute it to computers without having to install it manually.

If someone has the answer to my questions it would be great!
Thanks!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
samroy wrote on Thu, 06 March 2008 09:39

I would like to know if it is necessary to import/install the new ssl certificate when the old one expires?


Yes. The same is true for a self signed cert, or a cert from a certificate authority. It's not so bad, just import the new one and set it as active, then the KMS service requires a restart.

samroy wrote on Thu, 06 March 2008 09:39

To finish, is there a way to import/install the certificate in batch? I mean, to distribute it to computers without having to install it manually.


I can't say about Linux/Max, but you can on a Windows domain. You can use Active Directory to deploy a self signed certificate to all of your workstations. I do that for systems that only run within the network, but still require SSL.



Scott
  •  
samroy

Messages: 5
Karma: 0
Send a private message to this user
Sorry I forgot to mention I'm in a Windows environment.

Could you please give me more details about how to do it via AD?
I imagine it's through GPO?

Thanks!

[Updated on: Thu, 06 March 2008 16:08]

  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
samroy wrote on Thu, 06 March 2008 15:39

And, if we get a verified certificate (Verisign or whatever..) do we have the same problem.

If you acquire a 'decent' certificate, you wouldn't have to distribute it to your clients, since it's already recognized by Windows.

You would still need to replace the one server certificate when it's about to expire. You can buy certificates that are valid for several years, so that's really not so big a deal.

(Expired certificates will still 'work', but users would get a warning.)

Mind you: most purchased certificates will work 'out-of-the-box on most desktop OS-es. But not on Smartphones. So if you're planning on using secured connections from Smartphones, make sure to buy a certificate the supports those! QuickSSL Premium is a good example, that will work on Smartphones. (It won't without the 'Premium' part.)

[Updated on: Thu, 06 March 2008 16:26]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Yes, it's through GPO. It's under Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. You can import a cert here to have it distributed.

It would still be better to get a cert from a certificate authority though. Some hand-held devices don't allow you to import certs, and having a self-signed cert does occasionally cause problems with other mail servers if they try to use SSL when communicating. Bottom line, if it only accepts connections from network clients, a self-signed cert is ok. If it's accepting connections from the internet where you don't have control of all the connecting systems, it's better to have a cert from a certificate authority.

Scott
  •  
samroy

Messages: 5
Karma: 0
Send a private message to this user
Ok then. I Think I'll go with the self-sign certificate for now since it expires at the end of the month but I will surely look at a certified certificate.

Winkelman, the reason I asked about how to distribute is for the Outlook possibility to organize a meeting and see if people are free at a certain time. Do you know if it would still work without importing/installing it?

If no, then I'll have to stick with sedell solution to push it through GPOs.

Thanks!
Previous Topic: Mail server error 450
Next Topic: [Error Security Log] Failed SMTP login but everything works..
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 08:50:23 CEST 2017

Total time taken to generate the page: 0.00428 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.