Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Add SSL certificate to Kerio via CLI

Messages: 67
Karma: -1
Send a private message to this user
Since I'm starting to switch from Startcom to Let's encrypt. I would like to know if it's possible to add SSL certificates (And intermediate certificates) to Kerio via the CLI. I'm running Centos 6 with Kerio 9.1.1.

I've already tried to add the .key and .crt files to the sslcert directory in the store. I've also add the intermediate certificate to the sslca directory. But after a restart, they don't show up in the GUI list.

When I add them manually it works just fine.

Since the certificates of Let's encrypt are only valid for 90 days, I would like to automate this.

I do however see a difference in adding a new certificate/domain to kerio and renewing the certificate.

Let's say I just want to renew an existing certificate. Would it be fine to replace the original file with a new one and restart Kerio?

Messages: 349
Karma: 10
Send a private message to this user
A little googling of "kerio connect Let's encrypt" turned up: s-Encrypt-with-Kerio-Connect.html

I suspect you can adapt this for CentOS (I haven't tried it yet, but will likely once I get my CentOS 7 box working).


Messages: 67
Karma: -1
Send a private message to this user
I already found that solution, but that's still not automated.

"Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active."

I want the ssl part to be unattended.

Messages: 349
Karma: 10
Send a private message to this user
ikheetleon wrote on Thu, 29 September 2016 02:49
I already found that solution, but that's still not automated.

"Now open the admin panel, select Configuration > SSL Certificates and see your certificate appear. Select it and set is as active."

I want the ssl part to be unattended.

I do believe you missed this section:

Just run:

./letsencrypt-auto certonly --keep-until-expiring -d
You may want to put this in a cronjob to run every 30 days or so. If the certificate is close to expiring, it will be renewed automatically, otherwise it will be kept until the next run.

You only need the GUI for selecting the active cert (which you should only need to do once).

That solves most of the problem for 99% of the those of us running Connect.


Messages: 4
Karma: -1
Send a private message to this user
WARNING. this scrip will uninstall your whole mailserver.
During the installation it shows stopping kerio-connect. but after this there is no mailserver anymore. the whole software package is gone!

Messages: 1
Karma: 0
Send a private message to this user
please replace "hxxp" in this message with "http". I am NOT ALLOWED to Posts Links xD

For those who like to add Let's Encrypt Support to Kerio, which runs under Windows Server, here is how to manage it.

1a. Download xampp and only install apache. (hxxps://
1b. Download letsencrypt-win-simple and extract it to C:\letsencrypt-win-simple ( hxxps:// s)

2a: Add "ServerName <<your-mailserver-fqdn>>:80" to c:\xampp\apache\conf\httpd.conf
2b: Optionally change the ssl port in "C:\xampp\apache\conf\extra\httpd-ssl.conf" to for example 444 instead of 443. (so that no errors occur)

3. Disable Port 80 in Kerio Services in the Admin Interface (Port 4040)

4. Test Apache with "C:\xampp\apache_start.bat", try to access hxxp://<<your-mailserver-fqdn>>:80, stop apache with "C:\xampp\apache_start.bat"

if 4 is successfull, clean the htdocs folder of apache in order to minimize risks.

5. Then test the cert creation.

"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs" --test
Follow the instructions at the prompt of the exe-file.

6. If this successfull, create the certificates. (without --test) Say YES to create the Daily Task to check and renew the certificates. You'll need it later. You should also use the same user for renewing as for creation.
"C:\letsencrypt-win-simple\letsencrypt.exe" --manualhost <<your-mailserver-fqdn>> --webroot "C:\xampp\htdocs"

They are then located here:
C:\Users\<<username>> \AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.le "

7. Copy the %DOMAINNAME%-key.pem and %DOMAINNAME%-crt.pem from this folder to a location of your choice and rename it to %DOMAINNAME%.key and %DOMAINNAME%.crt.
Import it via the Kerio Admin Interface ONCE and then activate the certificate.
The Certificates are now located here: C:\Program Files (x86)\Kerio\MailServer\sslcert
You will need the file name of the certificate and key.

8. Try to access hxxps://<<your-mailserver-fqdn>> ... perhaps try to close and open the browser or press STRG+F5.

9. If 8 is successfull, it is time to automate the rest:

10. Create a batch file under "C:\letsencrypt-win-simple". Content at the end of this post!

11. Modify the created task which runs daily:
Program: C:\Windows\SysWOW64\cmd.exe
Arguments: /c "C:\letsencrypt-win-simple\!!your-batch-file!!.bat"
Execute in: C:\letsencrypt-win-simple

12. After 61 Days... Check the C:\letsencrypt-win-simple\results-xcopy.log if the new certificates are copied correctly and that the certificates are delivered correctly by kerio!


The content of the batch file may be like:
:: Description: Start Apache, Renew Certificates, Copy and Rename the two files, stop the apache.
:: I think it is not neccessary to restart the kerio mailserver... 
:: Please check after 61 days the log file results-xcopy.log!!!

set "APACHE_START=C:\xampp\apache_start.bat"
set "APACHE_STOP=C:\xampp\apache_stop.bat"
set "KERIOSSLCERTPATH=C:\Program Files (x86)\Kerio\MailServer\sslcert"
set "LETSENCRYPTCERTPATH=C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\"
set "LETSENCRYPTEXEPATH=C:\letsencrypt-win-simple"
set ""

echo Step 1... Start Apache...
start /MIN "Start Apache..." CMD /C "%APACHE_START%"
echo Wait 5 Seconds for Apache!
ping -n 5 >NUL 2>&1

echo Step 2... renew certificates!
"%LETSENCRYPTEXEPATH%\letsencrypt.exe" --renew --baseuri "hxxps://"

echo Schritt 3... Kopiere neue Zertifikate in das Entsprechende Verzeichnis
echo %date% >> "%~dp0results-xcopy.log"
:: Only copy newer files to the kerio sslcert store
:: The Asterisk is important! 
xcopy /D /Y %DOMAINNAME%-key.pem "%KERIOSSLCERTPATH%\%KERIOSSLKEYNAME%*" >> "%~dp0results-xcopy.log"
xcopy /D /Y %DOMAINNAME%-crt.pem "%KERIOSSLCERTPATH%\%KERIOSSLCRTNAME%*" >> "%~dp0results-xcopy.log"

echo Step 4...Stop Apache...
start /MIN "Stop Apache..." CMD /C "%APACHE_STOP%"

Have Fun Smile Hope i have not forgotten a step Rolling Eyes

[Updated on: Wed, 05 April 2017 10:34]


Messages: 186
Karma: 9
Send a private message to this user
I got it working with nginx based on and symlinking did not show the cert in the gui, I had to import the cert and key manually, then replace them with the symlinks like the guide has.

I also had to increase the timeouts based on sing-nginx/. 610 works, the rpc timeout is 10 minutes, a few seconds extra for lag.

And also increase the max body per ent_max_body_size to allow your largest email size + some extra (I just put 100m).

it would be great if the embedded web server would simply allow the ".well-known" folder, then the "webroot" option could be used and skip the nginx hack.

[Updated on: Tue, 02 May 2017 22:49]


Messages: 1
Karma: 0
Send a private message to this user
I set up a way which involves stopping Kerio Connect for a short while and using certbot's standalone method which does not require a Webserver. Since I run a nightly backup which necessitates the server being stopped I am able to slip the setup and it's renewal process in to my procedure with out affecting downtime.

On Debian

1 Get Certbot (substitute proper URL-Atribute for "at" - I am not allowed to "use links till I have posted 5 messages")

wget at
chmod a+x certbot-auto

2. Run it once without any parameters to check for dependencies.


3. Create the Certificate

service kerio-connect stop && ./certbot-auto certonly --standalone -d 

3a if additional domains add
" -d -d -d"
to above line

3b when running for the first time a contact email will be asked for. Enter one.

4 Create Symlinks of issued Certs so that Kerio Connect can find them:

ln -s /etc/letsencrypt/live/ /opt/kerio/mailserver/sslcert/mail.crt

ln -s /etc/letsencrypt/live/ /opt/kerio/mailserver/sslcert/mail.key

5. Start Kerio Connect

service kerio-connect start 

Access Kerio Connect Admin > Configuration > SSL Certificates where your new cert will appear. Select it and set as active. If desired delete unneeded certs.

Restart your browser to view the certificate.

6. Renew

create cron job /etc/cron.d/cert-renew

nano /etc/cron.d/cert-renew


0 4 * * *  root  { service kerio-connect stop && /root/certbot-auto --standalone renew; service kerio-connect start; } >/dev/null

I take advantage of fact that I stop my Kerio Connect server daily to run a backup by letting the renew process run before restarting Kerio Connect.

for example:

service kerio-connect stop
... the backup action
/root/certbot/certbot-auto --standalone renew
service kerio-connect start

[Updated on: Sun, 14 May 2017 19:09]

Previous Topic: Huge CPU use after Update to 9.1.1
Next Topic: Backup status monitoring
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Jun 23 19:23:08 CEST 2017

Total time taken to generate the page: 0.00456 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.