Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SSL Certificate and hostnames
  •  
higginsta

Messages: 9
Karma: 0
Send a private message to this user
My mail server's hostname (and internal DNS record) is kerio.example.com.

My internet hostname in Kerio is mail.example.com (which matches my MX records and my external PTR) and my primary domain is example.com.

When I am exporting my SSL certificate request should the hostname match the computer's hostname, or should it match the internet hostname?

I think it should be the internet hostname, but I want to be sure before I order the certificate from Geotrust - they do not allow hostname changes once a certificate has been issued.

I found a thread in the forums about people using Geotrust - can anyone comment on the hostname requirement?

Thanks,

Todd
  •  
Yohann94

Messages: 49

Karma: 1
Send a private message to this user
SSL certificate is only an affair between the mail server and the internet browser. So it will be recognized if you are using within your browser the hotsname recorded with geotrust.
If you register mail.example.com with geotrust, and you type mail.example.com in your adress bar, your browser will be happy. But if you type kerio.example.com the certificate won't be valid.

So, for the SSL to be recognized from inside your LAN and from the WAN, you'll have to use the same url or register with geotrust both hostnames (kerio.example.com and mail.example.com).

We choose to use the same DNS here. I can resolve mail.mydomain.com from outside with a public IP adress, and mail.mydomain.com from inside with a private IP adress. This is only a DNS configuration thing.

[Updated on: Wed, 08 April 2009 08:20]

  •  
higginsta

Messages: 9
Karma: 0
Send a private message to this user
Right now I have 2 customers that are doing just what you suggest - they are using mail.example.com as their computer hostname and as their mail domain (mail.example.com).

But, both wanted the kerio system installed before they make the cutover to get familiar with the interface, calendar system and provide training, etc. So I set up kerio.example.com as the server name, but the internet hostname is mail.example.com. (It does not accept mail from outside their LAN yet)

So making the cutover should be as simple as just changing the rule on the firewall to point inbound SMTP to kerio.example.com. Add a CNAME on internal DNS pointing mail.example.com to kerio.example.com

Does that makes sense?

  •  
Yohann94

Messages: 49

Karma: 1
Send a private message to this user
That's it.
For the SSL to work, you ave to do 3 things :
- registering mail.example.com to geotrust
- pointing mail.example.com to the right IP (A) or name (CNAME) in your DNS (external and internal)
- using mail.example.com in your browser.
  •  
higginsta

Messages: 9
Karma: 0
Send a private message to this user
Thanks Yohann94,

The internet hostname was what was confusing me - that needs to match external DNS for other mail servers to validate the server, but has nothing to do with the SSL process in the browser.

So if my customers wanted to maintain 2 different hostnames i.e. mail.example.com on the WAN, and kerio.example.com on the LAN then they would need to purchase a multi-domain SSL certificate. to prevent an error message popping up on the LAN (assuming we registered the WAN hostname with geotrust)
  •  
Yohann94

Messages: 49

Karma: 1
Send a private message to this user
That's right. One certificate = one hostname.
Or you can create a self signed certificate and install it manualy on the computers which connect from the LAN.
Previous Topic: Google Mail for organization
Next Topic: Kerio MailServer 6.7.0 RC1 released
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 21:15:23 CET 2017

Total time taken to generate the page: 0.00421 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.