Prerequisites for this tutorial: working apache on the same box that HMS is installed. I'm running HMS and xampp on windows 10. (Note: this prerequisite is not actually required, but it was the easiest way for me - explanation below).
1) Go to https://www.sslforfree.com/
The homepage has a text entry box for the domains you want to create certificates for. Please note that letsencrypt does not do wildcard certificates, so you will have to add all of your subdomains you want included in the certificate separated by a SPACE, per the instructions. i.e.:
2) Hit the "create free ssl certificate" button and it will load a section for domain verification. You have 3 options for domain verification:domain.tld subdomain1.domain.tld subdomain2.domain.tld etc.domain.tld
* Automatic FTP verification - you set up and give sslforfree FTP credentials to log in. I did not try this. I assume it you can create an unused folder for this. I didn't want to go through this process because a) it takes longer to set up and b) I suppose there is a minor security risk.
* Manual verification - you create a folder (in the case of xampp) c:\xampp\htdocs\domain.tld\.well-known\acme-challenge into which you place a file that sslforfree creates. They will then go to http:// domain.tld/.well-known/acme-challenge/gibberishfilenamefromsslforfree to verify. I found this the easiest method because I could just drag and drop the files I downloaded.
* Manual DNS verification - you create a DNS txt record they will verify against. This could take a couple of days to propogate, so it should really be a last resort method.
3) After verification, the keys are generated (supposedly) in your browser so the sslforfree server never even sees them. If this is true, its a really awesome feature. In any case, when the keys are created, you have the option to download them in a zip file. I HIGHLY recommend you do this.
4) You need a place to put them. I suppose they can go anywhere (except your web root). Since my self signed certificates were stored in apache/conf, i created a folder there and subfolders for the different domains I created certificates for.
There are 3 files in the zip file and it took a few tries to sort these out. If you're running apache, you need to update your virtual hosts to include the correct keys. Below you'll see that certificate.crt is the certificate file, private.key is the private key (duh...) and ca_bundle.crt is the certificate chain file. I don't know whether the chain file is necessary or not. I'm far from an expert on this. Its monkey see monkey do for me and this is the setup I found after searching around the interwebs and I can confirm it does work.C:\xampp\apache\conf\certs\domain1
In HMS, I went to settings > advanced > SSL Certificates, clicked ADD, then added the domain name and location of the above certificates.<VirtualHost *:80>
A couple of things to note. First of all, I have no idea whether HMS is properly set up via the certificates I'm using, so that part of the tutorial must end here. The reason is that I'm using horde activesync which uses port 443 and not any mail protocols. From there, horde connects to HMS locally, for which I do not need TLS (on the My Computer IP range). However, I can confirm that since my apache installation is correctly configured, activesync autodiscover works perfectly for automatic account setup. Before I had a working, valid certificate (using self signed certificate) activesync account setup had to be manual and the ONLY reason for that was because of the self signed certificate.Name: domain1.tld
Certificate file: C:\xampp\apache\conf\certs\domain1\certificate.crt
Private key file: C:\xampp\apache\conf\certs\domain1\private.key
Another thing to note is when using the "manual verification" method in step 2, is make sure your apache virtual hosts is properly setup. I had a couple of errors related to that and it took a minute to figure out there was a mistake in my apache setup. Another thing is I AM NOT SURE if you NEED to have *:443 virtual host already setup with any certificate (even self signed). Since I had mine already setup that way, it worked except for the error just referenced. I found that one virtual host:443 resolved to the wrong DOMAIN NAME due to a rewrite rule in a .htaccess. So I can't say for sure whether sslforfree will look ONLY on :*80 for the verification file or whether its looks at *:443 when it exists or whether it REQUIRES :*443 to be already setup. Maybe its best to just set up the :*443 virtual hosts in advance using any self signed certificate. If nothing else, that will guarantee success.
5) Last step. sslforfree will ask you to create an account when you finish making the certificates. This is not necessary, but they will email you a week before the certificate expires. They will also have your certificate creation on file and you will be able to pull them up with the option to renew the certificate. I haven't yet tried that, but I imagine its as simple as the creation.
Additionally, for redundancy's sake, I set up a repeating calendar entry that will remind me every 85 days to renew. Letsencrypt certificates are valid for only 90 days but you can renew anytime, even the next day after you create them. That just starts the 90 clock again.
I hope this tutorial is helpful. I can say for sure that before I found sslforfree, certificate creation was incredibly frustrating and fruitless. They made it so easy that even I can do it and believe me, if I can do it, anyone can.