16.1  Kerio Connect certificate

To find out how these principles work in practice, look at Secure HTTP. Web browsers can display certificate information, as opposed to other services, where such information will not be revealed.

When Kerio Connect is run for the first time, it generates the self-signed certificate automatically. It is saved in the server.crt file in the sslcert folder where Kerio Connect is installed. The second file in this directory, server.key, contains the server's private key.

If you attempt to access the Secure HTTP service immediately after installing Kerio Connect a security warning will be displayed with the following information (depending on your browser, name of the computer, etc.):

Now, there are two options. One is to keep in Kerio Connect the self-signed certificate generated during the mailserver's installation, the other option is to get a certificate authorized by a certification authority. It should be possible to install both types of certificates on client stations. In both cases, it is necessary that the certificate is maintained in the Kerio Connect's Configuration → SSL certificates section (see figure 16.1  SSL Certificates).

SSL Certificates

Figure 16.1. SSL Certificates


In SSL certificates, it is possible to create certificates, generate certificate demands for certification authorities as well as export certificates. Here is an overview of all options:

New...

Click on New to specify information about your server and your company. When confirmed, the server.crt and server.key files are created under sslcert.

The certificate you create will be original and will be issued to your company by your company (self-signed certificate). This certificate ensures security for your clients as it explicitly shows the identity of your server. The clients will be notified by their web browsers that the certification authority is not trustworthy. However, since they know who created the certificate and for what purpose, they can install it. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs.

If you wish to obtain a full certificate you must contact a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The process of certification is quite complex and requires a certain expertise. Kerio Connect enables certification request that can be exported and the file can be delivered to a certification authority.

Attention! A new certificate will be used the next time Kerio Connect Engine is started. If you wish to use it immediately, stop the Engine and then start it again.

The New button can be used to create a new certificate (the New certificate option) or to demand on a new certificate (New certificate request). You will be asked to specify entries in the Generate Certificate dialog. The Hostname and Country entries are required fields.

Certificate Creation

Figure 16.2. Certificate Creation


  • Organization Name — name of your organization.

  • Hostname — name of the host on which Kerio Connect is running.

  • Organization Unit — will be used only if the organization consists of more than one unit.

  • City — city where the organization's office is located.

  • State or Province — state or province where your organization has its office(s).

  • Country — this entry is required.

  • Valid for — select the period for which the certificate will be valid.

Show Details

Select a certificate and click on the Show details button to get details about the selection.

Import

Use this button to import a certificate, regardless if new or certified by a certification authority.

Export...

Use this button to export an active certificate, a certification request or a private key. Using this option you can send an exported certificate request to a certification authority.

Remove

Using this button you can remove a selection (a certificate or a certification request).

Set as active

Use this button to set the selected certificate as active.

Intermediate certificates

Kerio Connect allows authentication by so called intermediate certificate. To make authentication by these certificates work, it is necessary to add the certificates to Kerio Connect by using any of the following methods:

Locally

Add the intermediate certificate file to the /sslca directory and copy the server's certificate with the private key to the /sslcert directory. Both directories can be found in the directory where Kerio Connect is installed.

Remotely

Certificates can be imported via the administration interface.

  1. Open the server's certificate and the intermediate certificate in any text editor.

  2. In the intermediate certificate, select the certificate's string and copy it to the server certificate file next to the string of the server certificate. The certificate file should then be as follows:

    -----BEGIN CERTIFICATE-----
    MIIDOjCCAqOgAwIBAgIDPmR/MA0GCSqGSIb3DQEBBAUAMFMxCzAJBgNVBAYTAl
    MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMR0wGwYDVQ
         ..... this is a server SSL certificate ...
    ukrkDt4cgQxE6JSEprDiP+nShuh9uk4aUCKMg/g3VgEMulkROzFl6zinDg5grz
    QspOQTEYoqrc3H4Bwt8=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDMzCCApygAwIBAgIEMAAAATANBgkqhkiG9w0BAQUFADCBxDELMAkGA1UEBh
    WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR
         ..... this is an intermediate SSL certificate which 
               signed the server certificate...
    5BjLqgQRk82bFi1uoG9bNm+E6o3tiUEDywrgrVX60CjbW1+y0CdMaq7dlpszRB
    t14EmBxKYw==
    -----END CERTIFICATE-----
    

    Note

    If you have multiple intermediate certificates of such kind, add them one by one to the server certificate file.

  3. Save the certificate.

  4. In the administration interface, open the SSL Certificates section.

  5. Import the server's certificate by using the Import → Import new certificate option.