Installing a certificate in IceWarp requires you to decide which type of certificate you want.
You can install a server SSL certificate to securely access and run the email communication or a S/MIME certificate to digitally sign and encrypt your emails.
During IceWarp installation, the installer will try to generate two certificates by default: A Self-Signed Certificate and Let’s Encrypt.
The installation of Let’s Encrypt will most likely fail with ACME requests and further verification as DNS records are not pointed to the IceWarp Server.
With a self-signed certificate, the whole communication is secured, but the browser could be alerting that certificate is not trusted as the issuer is IceWarp but not trusted CA.
These are the possibilities to create/add certificates in the IceWarp admin console:
- Add Existing Certificate (Use already existing certificate) - if you decide to use your certificate, make sure that it is merged correctly and follows the standard structure of certificates.
- Request Authority Certificate (Generate CSR and send it to CA) - if you generate CSR, you need to send this request to CA and wait for the signed certificate and then you can bind it through the remote admin console. There could be an issue sometimes with bindings. If that occurs, check whatever the signed certificate is in *.pem format. If you still see in logs something like "Load key and certificate: PEM_read_bio_PrivateKey failed", it means the merge was incorrect, or CA has intermediate or root certificates as well. You must compare all parts (see the structure for properly composing the certificate in the text below).
- Free Let's Encrypt Certificate (Get a free Let’s Encrypt certificate) - Let’s Encrypt certificate is trusted in all browsers and most applications, and you can use it for free. What you need to know, however, about Let’s Encrypt certificates is:
- Port 80 should be unblocked and not forwarded to 443, for example, as CA will try to validate your host via port 80, and in case it gets blocked, you will not get the certificate. An error will be generated, and you can find it under the Error log, or you will see a failed attempt to create the certificate in Remote Admin Console under System > Certificates
- The certificate is released for 90 days, and two weeks before expiration will auto-renewed. Again, make sure port 80 is not blocked and allowed on firewall/iptables
- You can generate an unlimited number of certificates
- Let’s Encrypt does not support wildcards in IceWarp
- Let’s Encrypt should be generated for the primary domain + AutoDiscover (SmartDiscover) as iPhones always require a valid certificate for a domain, but as it is done through AutoDiscover, you need a certificate for this domain as well. Example: your domain is icewarpdemo.com – you generate Let’s Encrypt for domain icewarpdemo.com and also for autodiscover.icewarpdemo.com
- Free Self-Signed Certificate - Use a self-signed certificate - Please note that Self-signed SSL Certificates are risky because they have no validation from a third-party authority, which is usually a Trusted SSL Certificate Company. Developers and businesses try to save money by using or creating a free Self-Signed SSL Certificate, but there are several threats and possible consequences of Self-Signed SSL certificates which you should know about.
EMAIL CERTIFICATES (S/MIME)
This is a standard for public key encryption and signing of MIME data. S/MIME provides data security, non-repudiation of origin and privacy cryptographic security services for electronic messaging.
The best way to obtain and install a S/MIME certificate in IceWarp WebClient is to use Public CAs, for example, Actalis.
What you need:
- Get a free S/MIME certificate from CA by registering an account and putting in the form your email
- You will get a link in your email to download the certificate
- Follow up on the instructions, create PassPhrase and download your key (keep in mind your PassPhrase)
- Now you need to bind the S/MIME certificates in 2 places in the WebClient
- Firstly you will bind the Public Part by logging in to WebClient > My Details > Certificates > Upload. Browse and upload your certificate and enter the PhrasePass.
- Now you must install the Private Part by logging in to WebClient > Options > Accounts > Private Certificates > Upload. You can just browse and upload your certificate and enter the PassPhrase.
Now your S/MIME is installed and ready to use. Just click in the MailCompose window, “Digitally sign the message”, and “Encrypt the message”.
Just so you know, all emails, in that case, will be encrypted, and nobody can read them from FileSystem. It will be possible only if you have the correct Private+Public parts of the certificate.
There are a few ways to create a certificate, so let's look at them.
By automated creation, we talk about Let’s Encrypt certificate or existing certificate, as you just bind it in the remote admin console, and you are done. The certificate is ready for use. Just restart all services, and the Control module will load it.
If you created a CSR request, you would get a signed certificate from CA, and you need simply bind the signed certificate and intermediate certificate in Console.
You got your signed certificate but could not bind it normally through the remote admin console. In that case, you need to merge all parts manually.
Structure of certificates
2. Private key
3. Certificate Authority
Example from Comodo certificate creation
• example_com.key -- your Private key
• example_com.csr -- your CSR file
Wait till CA send you an email that contains a zip file with the following attachments:
• Root CA Certificate - AddTrustExternalCARoot.crt
• Intermediate CA Certificate - COMODORSAAddTrustCA.crt
• Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
• Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)
Now combine the above certificate files into a bundle:
cat www_icewarpdemo_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.pem