How to create a cert for CommuniGatePro email server

I'd like to create a Cert for CommuniGatePro email server.

My domain is: mail.atu1277.com

I ran this command:
openssl genrsa 4096 > atu1277.key

It produced this output:
atu1277.key

My web server is (include version):
I don't have a web server. I have an email server.
CommuniGatePro email server. ver. 5.4.2

The operating system my web server runs on is (include version):
Windows 7 Pro 32bit

My hosting provider, if applicable, is:
I am hosting this on my PC.

I can login to a root shell on my machine (yes or no, or I don't know):
I do have Administrator signon

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I am not using a control panel. It's on my LAN.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I'm not using Certbot. I don't think I can.

  1. I don't have a web server. I think it's required for Certbot.
  2. I don't know if there is a 32bit version of Certbot.

I'm trying to Create the config file to create the key.
File Name : extfile.conf

I have some questions. This may not be correct. This is what I have so far:
[reg]
distinguished_name = ATU1277
req_extensions = v3_req

[req_distinguished_name]
countryName = USA
countryName_default = USA
stateOrProvinceName = California
stateOrProvinceName_default = CA
localityName = Los Angeles
localityName_default = Los Angeles
organizationName = ATU1277
organizationName_default = ATU1277
organizationalUnitName = IT
organizationalUnitName_default = IT
commonName = ATU1277.com
commonName_max = 64
emailAddress = docfxit@atu1277.com

[ v3_req ]

Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = atu1277.com
DNS.2 = mail.atu1277.com

  1. Does anything look wrong. I haven't run this yet. I'm trying to figure out if it's correct.
  2. What does "commonName_max = 64"
    mean? I have no idea.
  3. What does "basicConstraints = CA:FALSE"
    mean? I have no idea.
  4. What does "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" mean. I have no idea.
  5. What does "subjectAltName = @alt_names
    mean. Am I supposed to change it? To what?

After I create this key is there a way to automatically renew the key like Certbot does? Or Acme does?

Thank you,

1 Like

I'm not familiar with that email server software, but if you're on Windows, you're probably best off using a Windows ACME client like Certify the Web or win-acme. Trying to use openssl commands and feed them to an ACME client is going to be the hardest and most convoluted way of accomplishing anything. These clients can get you a certificate and store it wherever your software is expecting to use it.

But of course, if your system doesn't get security updates anymore, then even once one has a certificate, one shouldn't expect anything using it to actually be "secure" in any meaningful sense.

4 Likes

Thank you for the reply.
I couldn't find a version of Certify the Web or win-acme 32bit.
And I think they need web servers.
Do you know if that's not true?

win-acme has x86 builds. Looks like the link on their site goes to their Github releases, where they look to have .x86.zip versions. I haven't used it myself, though, and I don't know if Windows 7 might not meet its minimum requirements in other ways.

If there's no web server on that hostname, but it has a public name and IP, then the ACME client should be able to spin up its own temporary web server (looks like win-acme calls it self-hosting) just for the purposes of getting a certificate.

4 Likes

I tried the link for win-acme has x86 builds.
When I downloaded it I found only one file in the download.
mscordbi.dll

It doesn't give any instructions on what to do with it.
Do you have any idea how to run it?

I suspect that you downloaded one of the support files, rather than the main application. But like I said I haven't used win-acme myself (and I haven't used Windows 7 in a long time), so beyond pointing you to the manual I personally probably can't help you much. It may be that other people here have more experience with your situation and might chime in.

4 Likes

I think you are facing a very steep battle.
There is likely very little ACME software to run on that platform.
Even if you find one, the ciphers and protocols available to WIn7 are practically useless in 2024.

The "key" you are trying to make is only a "private key".
It can be used to create a CSR which, in turn, can be signed by a trusted CA and "turned into" a "public key".
Both keys are required to establish encrypted connections.
"private keys" are easily created by all ACME clients.
[I would not spend any more time trying to figure out something that is inconsequential]

To the main problem:
"How to create a cert for CommuniGatePro email server"
I would look for a guide that can walk you through a detailed step by step process to do so.
You should start that at their website: Unified Communications | Communigate Software Development And Licensing

4 Likes

Hi, win-acme and Certify The Web haven't supported 32 bit for several years and don't support Windows 7, or any OS that's no longer supported by the OS vendor.

If your service is important to you should (must? *) move your service to a newer OS. The last 32-bit [Server] CPU from intel was in 2002 and the last 32bit Server OS from Microsoft was 2008. If the service is not important you should decommission it to avoid security risks compromising the information which is presumably accessible through the service itself.

You do have the option of acquiring certificates using a different machine then regularly copying/deploying them to your service manually or using scripting.

[* Your organization may have a legal obligation to adequately maintain your IT assets for information security and integrity purposes and your public facing email server software is 13 years old]

4 Likes

Actually, I stand corrected, win-acme does have a 32-bit build but I don't know if it will work on Windows 7
https://github.com/win-acme/win-acme/releases/download/v2.2.8.1635/win-acme.v2.2.8.1635.x86.trimmed.zip

3 Likes

Getting a cert isn't the real problem here.
[an LE cert can be obtained/issued through manual processing]

The real problem here is being able to "secure" a system that is so far beyond EOL.
A TLS/SSL cert doesn't provide actual security - [even when done right] it can only provide encryption.
[and when done wrong (as might be the case with Win7), it will only give a false sense of security/encryption]

3 Likes

Because there isn't a web server I don't need to create the cert on the PC the email server is running on. I tried to create the cert on a 64bit Windows 10 PC.
This is what I did:


 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit

 Please choose from the menu: m

 [INFO] Running in mode: Interactive, Advanced
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [VERB] Autofac: creating PluginFrontend<TargetPluginOptions> scope with parent wacs
 [WARN] Source plugin IIS not available: No supported version of IIS detected.

 Please specify how the list of domain names that will be included in the
 certificate should be determined. If you choose for one of the "all bindings"
 options, the list will automatically be updated for future renewals to
 reflect the bindings at that time.

 1: Read bindings from IIS
 2: Manual input
 3: CSR created by another program
 C: Abort

 How shall we determine the domain(s) to include in the certificate?: 2

 [VERB] No value provided for --host

Description:         A host name to get a certificate for. This may be a
                     comma-separated list.

 Host: mail.atu1277.com

 [VERB] Autofac: creating PluginBackend<ITargetPlugin> scope with parent wacs
 [INFO] Source generated using plugin Manual: mail.atu1277.com

 Friendly name '[Manual] mail.atu1277.com'. <Enter> to accept or type desired name: <Enter>

 [VERB] Autofac: creating Target scope with parent PluginBackend<ITargetPlugin>
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] No W3SVC detected
 [VERB] No FTPSVC detected
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<OrderPluginOptions> scope with parent target

 By default your source identifiers are covered by a single certificate. But
 if you want to avoid the 100 domain limit, want to prevent information
 disclosure via the SAN list, and/or reduce the operational impact of a single
 validation failure, you may choose to convert one source into multiple
 certificates, using different strategies.

 1: Separate certificate for each domain (e.g. *.example.com)
 2: Separate certificate for each host (e.g. sub.example.com)
 3: Separate certificate for each IIS site
 4: Single certificate
 C: Abort

 Would you like to split this source into multiple certificates?: 4

 [VERB] Global validation option not found for mail.atu1277.com
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [DBUG] Adding local system default as DNS server
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<ValidationPluginOptions> scope with parent target

 The ACME server will need to verify that you are the owner of the domain
 names that you are requesting the certificate for. This happens both during
 initial setup *and* for every future renewal. There are two main methods of
 doing so: answering specific http requests (http-01) or create specific dns
 records (dns-01). For wildcard identifiers the latter is the only option.
 Various additional plugins are available from
 https://github.com/win-acme/win-acme/.

 1: [http] Save verification files on (network) path
 2: [http] Serve verification files from memory
 3: [http] Upload verification files via FTP(S)
 4: [http] Upload verification files via SSH-FTP
 5: [http] Upload verification files via WebDav
 6: [dns] Create verification records manually (auto-renew not possible)
 7: [dns] Create verification records on DigitalOcean
 8: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 9: [dns] Create verification records with your own script
 10: [tls-alpn] Answer TLS verification request from win-acme
 C: Abort

 How would you like prove ownership for the domain(s)?: 7

 [VERB] No value provided for --digitaloceanapitoken

Description:         The API token to authenticate against the DigitalOcean
                     API.

 1: Type/paste in console
 2: Search in vault

 Choose from the menu: 1

 digitaloceanapitoken: ****************

 Save to vault for future reuse? (y/n*) - yes

 Please provide a unique name to reference this secret: mail.atu1277.com

 [VERB] Autofac: creating PluginFrontend<CsrPluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<CsrPluginOptions> scope with parent target

 After ownership of the domain(s) has been proven, we will create a
 Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
 determines properties of the certificate like which (type of) key to use. If
 you are not sure what to pick here, RSA is the safe default.

 1: Elliptic Curve key
 2: RSA key
 C: Abort

 What kind of private key should be used for the certificate?: 2

 [VERB] Flag --ocsp-must-staple not present
 [VERB] Flag --reuse-privatekey not present
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target
 [VERB] Autofac: creating PluginFrontend<StorePluginOptions> scope with parent target

 When we have the certificate, you can store in one or more ways to make it
 accessible to your applications. The Windows Certificate Store is the default
 location for IIS (unless you are managing a cluster of them).

 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store (Local Computer)
 5: No (additional) store steps

 How would you like to store the certificate?: 2

 [VERB] No value provided for --pemfilespath

Description:         .pem files are exported to this folder.

 File path: "D:\Dnload\$WebSoftware\Letsencrypt acme\Cert"

 [EROR] Directory C:\Windows\system32\"D:\Dnload\$WebSoftware\Letsencrypt acme\Cert" does not exist
 [EROR] Invalid input: invalid path

Description:         .pem files are exported to this folder.

 File path: "\Dnload\$WebSoftware\Letsencrypt acme\Cert"

 [EROR] Directory C:\Windows\system32\"\Dnload\$WebSoftware\Letsencrypt acme\Cert" does not exist
 [EROR] Invalid input: invalid path

Description:         .pem files are exported to this folder.

 File path: Dnload\$WebSoftware\Letsencrypt acme\Cert

 [EROR] Directory C:\Windows\system32\Dnload\$WebSoftware\Letsencrypt acme\Cert does not exist
 [EROR] Invalid input: invalid path

Description:         .pem files are exported to this folder.

 File path:

My problem is it's forcing me to put the cert into a folder inside of C:\Windows\System32. All folders inside of there are protected. Is there a different option I can take to put the cert into a personal folder?

I must disagree https://ark.intel.com/content/www/us/en/ark/products/79084/intel-quark-soc-x1000-16k-cache-400-mhz.html
Shows "Launch Date Q4'13"

3 Likes

Hi @Docfxit,

The consider using the DNS-01 challenge
Here is a list of DNS providers who easily integrate with Let's Encrypt DNS validation

Edit but it looks like you are already doing that.
So why keep stating the

is an issue?

3 Likes

Does your path have $ in it? I think it might be trying to evaluate that as an environment variable.

2 Likes

Too funny!
I read the "$" as the U.S. Dollar!
"Does your path have $money$ in it?"

2 Likes

:rofl: Let's hope everyone's path always has enough $ in it.

2 Likes