Kerio MailServer :: SSL Certificate

» Main page
- » Support
  - » Documentation
    - » Kerio MailServer 6

SSL Certificate

The principle behind secure services in Kerio MailServer is that all communication between the client and the server is encrypted to protect it from tapping and to prevent it from misuse of transmitted information. The SSL encryption protocol used for this purpose uses an asymmetric cipher first to exchange a symmetric key.

The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting. As their names suggest, the public (encrypting) key is available to anyone wishing to establish a connection with the server, whereas the private (decrypting) key is available only to the server and must remain secret. The client, however, also needs to be able to identify the server (to find out if it is truly the server and not an impostor). For this purpose there is a certificate, which contains the public server key, the server name, expiration date and other details. To ensure the authenticity of the certificate it must be certified and signed by a third party, the certification authority.

Communication between the client and server then follows this scheme: the client generates a symmetric key and encrypts it with the public server key (obtained from the server certificate). The server decrypts it with its private key (kept solely by the server). Thus the symmetric key is known only to the server and client.

Web browsers can display certificate information, as opposed to Secure POP3 or Secure IMAP, where such information will not be revealed.

When Kerio MailServer (version 6.0 and above) is run for the first time, it generates the self-signed certificate automatically. It is saved in the server.crt file in the sslcert folder where Kerio MailServer is installed. The second file in this directory, server.key, contains the server's private key.

If you attempt to access the Secure HTTP service immediately after installing Kerio MailServer a security warning will be displayed with the following information (depending on your browser, name of the computer, etc.):

Figure 17. Security Alert

The certificate was not issued by the organization that you set as a trustworthy organization (i.e. self-signed certificate). This warning will not be displayed if you install the certificate (you can do this because you know the certificate's origin).
The certificate date is valid (the certificate is valid for a certain limited period, usually 1-2 years).
The name of the certificate does not correspond with the name of the server. The certificate is issued for a certain server name (e.g. mail.ourcompany.com), which you must also use in the client (this certificate has been issued for a fictious name keriomail).

This implies that you need your own certificate!

You can obtain your own certificate, which verifies your server's identity, by two means.

You can create your own self-signed certificate (i.e. you will sign it). This can be done in the Configuration/SSL Certificates section where the current server certificate is displayed.

Figure 18. SSL Certificates

New...: Click on New to open a window where you can enter details about your server and your organization. Server.crt and server.key files will be created in the sslcert directory. The certificate you create will be original and will be issued to your company by your company (self-signed certificate). This certificate ensures security for your clients as it explicitly shows the identity of your server. The clients will be notified by their web browsers that the certification authority is not trustworthy. However, since they know who created the certificate and for what purpose, they can install it. Secure communication is then ensured for them and no warning will be displayed again because your certificate has all it needs. If you wish to obtain a full certificate you must contact a public certification authority (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.). The process of certification is quite complex and requires a certain expertise. Kerio MailServer enables certification request that can be exported and the file can be delivered to a certification authority. Attention: A new certificate will be used the next time Kerio MailServer Engine is started. If you wish to use it immediately, stop the Engine and then start it again. The New button can be used to create a new certificate (the New certificate option) or to demand on a new certificate (New certificate request). You will be asked to specify entries in the Generate Certificate dialog. The Hostname and Country entries are required fields. Figure 19. Certificate Creation Hostname name of the host on which Kerio MailServer is running. Organization Name name of your organization. Organization Unit will be used only if the organization consists of more than one unit. City city where the organization's office is located. State or Province state or province where your organization has its office(s). Country this entry is required.
View Certificate: Select a certificate and click on the View Certificate button to get details about the selection. Figure 20. Certificate Details
Import...: Use this button to import a new certificate, regardless if certified by a certification authority or not.
Export...: Use this button to export a certification request or a private key. Using this option you can send an exported request to a certification authority.
Remove: Using this button you can remove a selection (a certificate or a certification request).
Set as active: Use this button to set the selected certificate as active.

Documentation for Kerio MailServer

SSL Certificate

Additional Links

Search

Support

Documentation

Authorization

Subscribe

Secondary Information

Login:
Password:
	Remember me on this computer