Installing SSL Certificate
related to this article: Certificate Management under IceWarp server
The Following steps will walk an Icewarp Administrator through the proper steps to set up a unique SSL certificate from a trusted Certification Authority, which will allow the server to utilize the SSL Functions. Although these instructions will use a Free Trial certificate as an example, they will also work for implementing paid certificates as well.
This tutorial uses the well known Certificate Authority VeriSign, but most Certificate Authorities, such as Thawte and GeoTrust, also have free trial certificates. The only difference will be the ordering process. There is a list of the most well-known Certificate Authorities the end of this article.
A free Trial SSL Certificate from VeriSign has a 14 day validity period. This should be plenty of time to evaluate it's use on the Icewarp Server, and to familiarize yourself with the broader issues of SSL certificates.
There are 4 steps to get a signed certificate and install it on the Icewarp Server:
Generating a CSR (Certificate Signing Request) and Private Key
Sending the CSR to the CA (Certificate Authority, VeriSign in this tutorial).
Merge the signed Certificate from the CA with the Private Key (generated in step 1).
Installing the merged certificate onto the Icewarp Server.
1) Generating CSR (Certificate Signing Request) and Private Key
Open the Icewarp Administration console and go to the Main Menu > System > Certificates > Server Certificates tab.
Press "Create Server Certificate" and complete all fields in the form.
Common name will be your mail servers hostname. (in this case it will be mail.icewarpdemo.com)
Check the box "Certificate Signature Request" - otherwise the Icewarp Server will generate a self-signed private key instead of the CSR.
Fill in the Private Key File with the path and file name where it will be stored. (suggested naming convention would be private.pem.)
Fill in the Public Key / CSR with the path and file name where it will be stored. (suggested naming convention would be csr.pem)
Both files will be generated in the .pem file format.
2) Send the CSR to a CA (Certification Authority - VeriSign in this tutorial)
The CSR that was generated now gets sent to a Certificate Authority. The CA will check the request, digitally sign it with their certificate, and send it back. Because we are only requesting the Free Trial the checking procedure is simple and the signed certificate will be send back promptly. When you are buying a "real" certificate the checking procedure is more detailed, as proof of domain ownership will need to be proven.
To follow this tutorial, and use the free trial certificate you can go to the VeriSign page and follow their wizard. (Or it is possible at this step to generate a paid certificate and continue on when it has been returned.)
When requesting a certificate it will be neccessary to use a real e-mail address as the certificates will be sent to that contact information. When you are asked for your CSR you should cut and paste the content of the CSR.pem file that was generated in step 1. This file can be opened with any text-based editor (such as notepad).
Choose a challenge phrase (password) for the certificate. This challenge phrase is used when the certificate is to be renewed, revoked, or any changes are to be made to it.
Confirm the information provided and the signed certificate will be sent to the email address provided.
Save this certificate to a new .pem file. (signedprivatekey.pem for this demonstration)
3) Merging the Signed Certificate from Certificate Authority with your Private Key
The email message sent to you from email@example.com will contain information on what to do next. The Verisign certificates will need to be installed into the servers browser.
Follow this link . Copy and paste the certificate into the file TrialRoot.crt.
For a Windows/IE browser double-click the certicate to install it. For a Firefox browser go to the Tools, Options, Advanced, Encryption, View certificates, Import. (Drop down menus in Firefox).
Once done all certificates signed by Verisign's Trial Certificate Authority will be considered as trusted by the browser. (This step is not necessary when a non-trial certificate has been purchased)
To merge the Private Key and signed certificate from Verisign into a destination file a third .pem file will need to be created. This demo will use mycert.pem as the filename.
private key - private.pem
signed key - signedkey.pem
On command line run -
"copy private.pem+signedkey.pem mycert.pem"
Mycert.pem is now the certificate file that can be imported into Icewarp. It contains both the private key and the Certificate information from the CA.
Note: Some CA (like Comodo) uses intermediate CA - an another certificate. In such case you need to join all these 3 certificates (Private, Signed Public and Intermediate together -
"copy private.pem+signedkey.pem+intermediate.pem mycert.pem"
4) Installing the merged certificate in Icewarp
Once the mycert.pem file is created it needs to be imported into the Icewarp Server.
Open the Administration GUI and go to Main Menu > System > Certificates > Server Certificates tab and click the "Add"button.
Insert the IP address that this certificate is intended for.This will be the IP address that the Icewarp users are directed to when they access this server.
Insert the fully qualified name of the certificate file(full path to where the file is being stored. It is suggested that the certificate be stored in the \merak\config directory).
To apply the new certificate a restart the Web/Control service is neccessary.
To Test this new certificate open up a browser and go to https://mail.domain_name.com:32001/webmail. Be sure to use s https instead of http. The default SSL port is 32001.
List of CA - Certification Authorities:
Updated 05.08.2014, by Valentin