Home » Kerio User Forums » Kerio Connect » New SSL Certificate Install
  •  
BobH

Messages: 59
Karma: 0
Send a private message to this user
I need to install an SSL certificate on Kerio Connect v9.2.6 patch 2 (3868).

I generated the .csr file in Kerio Administrator and per the instructions from a Go Daddy rep, copied the text of the .csr file and pasted to their website. They generated a certificate zip file that I downloaded. The file contained 2 .crt files. One with a single certificate in it and another that they call a bundle that contains mulitple certs.

Go Daddy told me most mail servers just want the single cert file. Fine so far. But when I go to "Import a new certificate..." in Kerio Administrator, it requires both a .crt and a .key file. What is the .key file? Is this something Go Daddy would need to generate and if so, how do I tell them what the file should comprise?
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
If you right click on the certificate request in the Kerio Connect administration, you have the option to import the signed certificate. In this case you are not asked for the private key. Note that you need to prepare the certificate by combining the intermediate certs (copy / paste). There are instructions in this help topic at the bottom https://manuals.gfi.com/en/kerio/connect/content/server-conf iguration/ssl-certificates/configuring-ssl-certificates-in-k erio-connect-1132.html
To test that you installed the certificate properly you can use any number of online SSL testing tools such as sslshopper.com

Brian Carmichael
Instructional Content Architect
  •  
BobH

Messages: 59
Karma: 0
Send a private message to this user
Thanks Brian,

OK. Following your instructions I was able to select the .crt file they sent me with the single certificate in it. However, this generated an error...

[img]"D:\1-Junk\Kerio\SSL Error Message.jpg"[/img]

In case the image doesn't display, the error reads

Cannot load SSL private key file. Error: error:0B080074:x509 certificate
routines:X509_check_private_kley:key values mismatch.

Does this mean Go Daddy generated a bad key?
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
It means the signed certificate doesn't match the private key. Maybe you didn't select the right certificate. Did you choose exactly the option "Import signed certificate from CA"?
Before attempting to import the certificate you can make sure it's properly created using the certificate decoder here https://www.sslshopper.com/certificate-decoder.html
If you're still having difficulties I suggest reaching out to the support team and they can walk you through the process.

Brian Carmichael
Instructional Content Architect
  •  
BobH

Messages: 59
Karma: 0
Send a private message to this user
I ended up contacting Kerio Tech Support on this issue. I got a pretty prompt reply and they decided to remote in to take a look.

Long story short, it was a learning experience for both of us. We ended up deleting all the self-signed certificates which were created out of ignorance on how they worked. This created some issues with KC users connecting via https but there was no avoiding it.

Go Daddy is our domain registrar and had provided us with an SSL certificate for our website so I got an SSL certificate from them for our mail server as well.

Due to trouble shooting the issue we re-keyed the certificate a number of times through the Go Daddy website. Still stuff did not work. After talking to probably 5 different Go Daddy techs over a couple of days I got one who was definitely a level above the others. He asked me what browser I was using (Firefox) and he said there's your problem. It caches web pages and if you don't start with a fresh, uncached Go Daddy download page, chances are we are getting a "stale" copy of the certificate file. Hmm, the web page neglects to mention that.

Once we got the "fresh" certificate file it installed properly.

One other thing about Go Daddy. They don't know anything about Kerio Connect so they tell you to select "Other" when picking a certificate download. When you do download, you'll get a zip file containing 2 .crt files. One is a single certificate file and the other has several certs in it.

It's not documented at Go Daddy but you have to merge these files into one, being careful not to add any spaces or carriage returns in the process. Once that's done, the resulting file is what you import.

I learned about the merging of the files from the Kerio tech who says quite a few Kerio users use Go Daddy.

I can hardly wait for renewal next year...

Hope this cautionary tale benefits someone else.
  •  
Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
Thanks BobH for sharing your results. I'm glad to hear you were able to get things sorted out, albeit with a bit of work. Generally it shouldn't be quite so difficult but it sounds like Firefox caching was ultimately the culprit, although Godaddy could do a better job to prevent this problem. Traditionally Godaddy was a popular choice but their certificates have become unreasonably expensive. I recommend Enom.com as they provide Comodo certs for just 14 dollars USD per year. Another option is to use a cloud based reverse proxy like Cloudflare.com. In that case you never have to worry about renewing or re-installing a cert as they handle all of that, in addition to a plethora of other security and caching functionality.

Brian Carmichael
Instructional Content Architect
  •  
dallinga

Messages: 2
Karma: 1
Send a private message to this user
I go through this every year, then promptly forget how I did it, so this year I documented the process plus iPhone setup for those who need it:

How to re-do the go daddy cert for Kerio

Login to Kerio admin

Create a new certificate request

Save it

Open the .csr file and copy the contents

Launch go daddy login and go to my products

click Manage your certificate

Rekey and manage

Paste in the copied .csr details

Save and save

When email comes back in go to link
Download zip

Unzip

Go into Kerio admin ssl page

Click import certificate from ca

Import the smaller (<long hex number>.crt)certificate with the cryptic name from the zip file,

A new active certificate will appear.

Make your new certificate default when your old one expires.

On iPhone to install

Email the larger (gd_bundle-g2-g1.crt) certificate to yourself and install it from the email (this will verify the go daddy certificates when you import from server.) this has a long validity date, so you only need to do this when you first start using go daddy certs, ok maybe again in 2031 or whenever...


Go to your Kerio webmail site, and click integrate with device,

On the setup my phone page

choose the ssl certificate option, allow, install , enter passcode to install the certificate (providing you have gd_bundle-g2-g1.crt installed, it will verify,

Choose mail contacts calendars, to install your imap OR active sync profile, use secure connection, allow, install , enter passcode to install the profile for your Kerio email account.

-Gus Dalling
  •  
BobH

Messages: 59
Karma: 0
Send a private message to this user
Renewing the certificate was something I put in my calendar and put out of my mind.

Thank you for the detailed procedure. Now it doesn't seem so daunting.

I will post an update after I go through it.
  •  
scottwilkins

Messages: 102
Karma: 7
Send a private message to this user
We also get our certs from Go Daddy. I get one global cert for all our domain and everything under it. I've never run into this issue and never had to do any editing of a cert file before importing. Very strange, and I hope things haven't changed any since my last cert update.
Previous Topic: Viewing all mailing list a user is subscribed to
Next Topic: KOC 9.2.7 Active Sync + Outlook 2013/2016-Calender Issue
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Dec 12 01:11:36 CET 2018

Total time taken to generate the page: 0.81125 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.