Mail Server Certificate Creation

Hi, I have my mail server, Kerio Connect. This generates its own certificate and/or I know how to create one with XCA or Microsoft.
I gained the impression Let’s Encrypt “talks” about Web sites…I do not need that, as such.
I need to create the Certificate to:

  1. Import it to Kerio Connect
  2. Use it when accessing the Web mail interface.
    The domain has SPF and DMARC records but the certificate is self signed.

Where can I find the proper instructions to creating and importing this certificate, I repeat is not for a web server as such.

  1. List item
1 Like

The Kerio Connect webmail interface is just a web server like any other. From a high level, the approach to issue and install a certificate is the same as for a standard web server.

The problem you face is that it’s a relatively uncommon task (compared to securing Apache httpd, for example), so you won’t find a documented or turnkey solution as easily. Especially not for Windows. It does not help that the vendor does not offer a first-party solution either.

I came across what look like useful posts in this thread, in particular from user “LEWA”: . They seem to cover the needed steps:

  • Running an ACME/Let’s Encrypt client to acquire the certificate
  • Installation of the certificate to Kerio Connect
  • Automated renewal of the certificate and restart of the Kerio Connect server every after renewal

Another post, albeit in Russian, proposes another automated approach here: . It also seems to cover the required steps. Perhaps you can make us of it via some translation website.


Thanks, I run Kerio in Windows Server 2016 Datacentre, so I will have to find a way to create the cert and then import.
Nothing runs in Linux at my place.

1 Like

What I am trying to do is to create the cert like XCA does and then push it in to Kerio.
All is GUI being windows…

1 Like

Both of the posts I tried to draw your attention to are for Windows environments. I’ll cross post the example from the Russian blog:

net stop "Kerio Connect"
start miniweb -port 80 -root %WWWDIR%

le64 --key ltsncrpt_acc.key --email "our@email" --csr out_server.csr --csr-key our_server.key --crt our_server.crt --domains "" --generate-missing --unlink --path C:\www\.well-known\acme-challenge

REM rename "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.crt" server.crt_old
REM rename "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.key" server.key_old

REM copy our_server.key "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.key"
REM copy our_server.crt "C:\Program Files (x86)\Kerio\MailServer\sslcert\server.crt"

taskkill /IM "miniweb*" /F
net start "Kerio Connect"

If we step through it, we can understand what it does:

  • Stop the Kerio Connect server
  • Temporarily start a webserver on port 80 for the purposes of fulfilling the Let’s Encrypt HTTP challenge.
  • Run the “le64.exe” ACME client to actually issue the certificate, using the temporary webserver to provide a challenge response for Let’s Encrypt’s validation.
  • Copy the certificate to the Kerio Connect installation directory
  • Stop the temporary webserver
  • Start Kerio Connect again.

You would set this batch script up as a scheduled task for every 60 days or so.

Then all you need to do is configure Kerio Connect to use the certificate and private key at the nominated paths. Every time the certificate is renewed, Kerio gets restarted, and the new certificate is used.

I can’t vouch for the script - you’ll probably need to tune the parameters a little, and the certificate file copying seems to be commented out - but it appears to perform the steps need to do, in any case, in quite a compact and straightforward way.

1 Like

Thanks, I will look into this. I do not like to open port 80 on my Fortigate. Only 443 is open at this stage. I have a fortress and not inclined to open more.

1 Like

That shouldn’t be a problem. You can substitute le64 for lego and do something like:

lego.exe --accept-tos -m '' --tls -d "" run

which will instead create a temporary challenge response server on port 443.

This means you can get rid of the “miniweb” part of the script, but you’ll also need to copy the certificate and private key from a different path (/.lego) to the Kerio directory.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.