Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Procedure: Generate SSL certificate using multiple names (Windows Enterprise CA, using subject alternative names)

Messages: 2
Karma: 0
Send a private message to this user
SSL certificate for Kerio Mailserver with multiple names using a Windows 2008 Enterprise CA

The challenge: Creating and installing a certificate with multiple names (e.g. for external clients and server1.acmegizmo.local for internal clients) using a Windows 2008 Enterprise CA.

Note: This procedure can only be done using the Windows Enterprise Edition. Windows Standard Edition does not allow you to modify/use Certificate Templates

Step 1: Allow the Enterprise CA to use Subject Alternative Names in the issued certificates
On the Windows CA, start cmd.exe
Issue the following commands:

Step 2: Modify the Web Server template to allow private keys to be exported
(The default Web Server Certificate Template prevents private keys from being exported)
    - On the Windows CA, start mmc.exe
    - Add the Certificate Templates Console
    - Select the Web Server template, right click and select "Duplicate Template"
    - In the next screen, select "Windows Server 2003, Enterprise Edition"
    - For the properties of the New Template, provide the following:
    [General] Template Display Name: "Web Server (exportable)"
    [General] Template Name: "WebServer(exportable)"
    [General] Minimum key size: <value needed in your organisation>
    [Request Handling] Enable "Allow private keys to be exported"
    [Issuance Requirements] Enable "CA certificate manager approval"
    - Click on [OK] to save the new template

Step 3: Instruct the CA to use the "Web Server (exportable)" template
    - On the WIndows CA, start the Certification Authority console
    - Select the node "Certificate Templates"
    - Right Click | New | Certificate Template To Issue
    - Select the Web Server (exportable) template
    - Click OK

Step 4: Prepare the certificate request
    - On the Windows Kerio Server, create a directory called "C:\certreq"
    - Start notepad and paste the following text (replace dns names with yours):
    Signature="$Windows NT$

    Subject = "" ; must be the FQDN
    Exportable = TRUE ; TRUE = Private key is exportable
    KeyLength = 1024 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
    KeySpec = 1 ; Key Exchange
    KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = CMC

    CertificateTemplate = WebServer(exportable) ;Duplicated WebServer template
    SAN=" erver1 " ;Add all alternative names (including NETBIOS name)

    - Save the file as request.inf

Step 5: Generate the certificate request
    - On the Windows Kerio server, start a cmd prompt
    - Issue the following commands (replace example with your actual kerio servername):
    CD C:\certreq
    certreq -new request.inf example.req
    certreq -submit demo-em02.req demo-em02.cer
    >> Note the request ID returned

Step 6: Issue the certificate
    -On the Windows CA, start the Certification Authority console
    - Select the node "Pending Requests"
    - Select the line containing the request ID from the previous step
    - Right Click | All Tasks | Issue

Step 7: Accept the issued certificate
    - On the Windows Kerio server, start a cmd prompt
    - Issue the following commands (replace example with your actual kerio servername):
    - certreq -retrieve <request id> example.cer
    - certreq -accept demo-em02.cer

Step 8: Export the certificate from the Windows Certificate Store
    - On the Kerio mailserver, start mmc.exe
    - Add the Certificates MMC (computer, local machine)
    - Browse to Certificates (Local Computer) | Personal | Certificates
    - Select the newly issued certificate (server authentication)
    - Right click and select All Tasks | Export
    - Select "Yes, export the private key"
    - Select the following options:
    Personal Information Exchange - PKCS # 12
    Include all certificates in the certification path if possible
    Export all extended properties
    - Provide a password
    - Provide a filename, e.g. example.pfx
    - Export the file into the c:\certreq directory
    - Repeat the process above, exporting the certificate again, but this time without the private keys in base-64 format (filename: example.crt)

Step 9: Convert the pfx file into .crt and .key files (PKCS#12 to RSA format)
Source: iewarticle&kbarticleid=80
    -On the Kerio mailserver, download the SSL Certificate utility
    - Extract the zipfile to c:\certreq\sslcert
    - Copy c:\certreq\example.crt to c:\certreq\sslcert\example.crt
    - Copy c:\certreq\example.pfx to c:\certreq\sslcert\example.pfx
    - Execute c:\certreq\sslcert\openssl.exe.
    - Issue the following command: pkcs12 -in example.pfx -nocerts -out example.pem.
    - You will need to supply the password used when you created the Personal Information Exchange file during the export.
    - After supplying the password, you will then be asked to create and verify a "PEM pass phrase". You will need to supply this pass phrase in order to convert the "PEM file" to a KEY file. This pass phrase will be used only once, and is not relevant after the key file has been created.
    - At this point you will have a new file in the same directory called example.pem.
    - Type the following command: rsa -in example.pem -out example.key.
    - After entering the "PEM pass phrase", the example.key file will be generated. You will no longer need the "PEM pass phrase".

Step 10: Import the certificate and key files into Kerio MailServer
    - Locate the /sslcert directory. The default location for each supported Operating System is provided below.
    OS X: /usr/local/kerio/mailserver
    Windows: C:/program files/kerio/mailserver
    Linux: /opt/kerio/mailserver
    - Copy the example.crt and example.key files into this directory.
    Restart Kerio MailServer
    - Connect to Kerio MailServer using the Administration console and go to the Configuration -> SSL Certificates dialog.
    - Select the new certificate and choose the option 'Set as active'.
    - Restart Kerio MailServer and the certificate and key should now be used by Kerio MailServer.

Step 11: Verify certificate
    - Using a browser, connect to https://<external webmail address of your Kerio server>
    There should not be a certificate error (provided that your CA is trusted by this computer)
    - Using a browser, connect to https://<internal name of your Kerio server>
    There should not be a certificate error (provided that your CA is trusted by this computer)

Kind regards,
Erik Cheizoo
eXcellence & Difference
The Netherlands

[Updated on: Thu, 27 August 2009 00:26]

Previous Topic: Backup Solutions for Email
Next Topic: KMS upgrades and custom SpamAssassin rules
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 11:18:15 CEST 2017

Total time taken to generate the page: 0.00356 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.