short index
1. overall configuration
2. Create CSR for official certificate
3. Use a self signed one with hmailserver
4. Testing
This is a manual of configuring and installing certificates on hMailserver (5.4) with chain. Note that you will need to have hMailserver 5.4 or higher to make use of a "chain" certificate.
overall configuration:
Make sure you have openssl installed. you can download it here.
After you have this installed you need to either set this in the "windows variables" or make sure you have the following command in your administrator cmd every time you want to use openssl.
Code: Select all
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".
Code: Select all
openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
it will ask you for the following information:
Note that all this information needs to be correct from the WHOIS information from your domain. Should this be incorrect there is a possibility you need to re-do the request with the "correct" information.Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
open your .csr in notepad or notepad++ (i recommend using notepad++ for editing these kind of files)
note if it asks for a password, you can remove the password from the .key file with the following command
Code: Select all
openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
Save the response you get in a .crt file.
for the Root (main certificate) on top of the requested certificate you need to save that one in the CA folder.
This should be "<path_to_hmailserver>\hMailServer\Externals\CA".
The .PEM formated CA root certificate you need to have saved somewhere you can open it and rename.
You need to see the hash value of the certificate. you can see what the hash file is with the following openssl command:
Code: Select all
openssl x509 -in "C:\path\to\ca.crt" -hash
rename the file to <hashvalue>.0 like in this example:
Code: Select all
ab1234c5.0
this should not be a .crt .cer etc. the extension should be a .0!
If there is a intermediate certificate (a certificate between your certificate and the root certificate) you also need to add that certificate in your .crt file from your own certificate.
Open your .crt file in (preferably) notepad++ also open the .crt file from the intermediate certificate and copy that information. paste the information before the certificate in the certificate you earlier saved.
it should look like this:
Code: Select all
-----BEGIN CERTIFICATE-----
<lots of gibberish from the intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<even more gibberish the reply from the authority>
-----END CERTIFICATE-----
Edit this in your hmailserver. and you have a official certificate.
Use a self signed one with hmailserver:
Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".
use the following command to ket a private key:
Code: Select all
openssl genrsa -des3 -out your_certificatedomain_com.key 2048
It will ask for a password and it is required. You should make sure that the key file has no password before setting it to hmailserver. you can do this with the following command:
Code: Select all
openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
Code: Select all
openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
The following command you can use to generate the certificate:Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
Code: Select all
openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt
General note: Do NOT store the .key file where someone can access it easy. once the .key has been discovered by hackers your certificate is compromised.
testing
The following command you can test if you have a certificate running under the port you have set it:
Code: Select all
openssl s_client -connect your.maildomain.com:465
Code: Select all
Loading 'screen' into random state - done
connect: No error
connect:errno=0
Should you have any problems don't be afraid to post.Loading 'screen' into random state - done
CONNECTED(00000138)
depth=0 description = <giberish> C = NL, ST = STATE, L = City,
O = Organisation, CN = your_domain_com, emailAddress = e-mailaddress
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/description=<giberish>/C=NL/ST=STATE/L=City/O=Organisation/CN=your_domain_com/emailAddress=mail_address
i:/C=IL/O=Athority/OU=Department/CN=Certificate authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<gibberish>
-----END CERTIFICATE-----
subject=/description=<gibberish>/C=NL/ST=STATE/L=City/O=Organization/CN=your_domain_com/emailAddress=mail_address
<only if this is a chain> issuer=/C=IL/O=Authority/OU=Department/CN=Certificate authority
---
No client certificate CA names sent
---
SSL handshake has read 2258 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: <gibberish>
Session-ID-ctx:
Master-Key: <gibberish>
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
<giberish>
Start Time: 1331110922
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 <your welcome message> Service ready
quit
221 goodbye
read:errno=0