Off-line validation


I am using an email server with integrated support for Let's Encrypt (IceWarp). I am currently in the process of a migration and want to get the certificates installed and configured before I do the final migration of users and data. The new server is in a DMZ environment and the current production email server is up and running. The question is, how can I validate the certs on my new server without taking the current production server offline? If I change and DNS entries or route those external IPs to the new environment, I will end up taking the production environment offline. IS there no other way to validate domain ownership?

Also: This email platform doesn't really give me easy access to the CSR. It does not use Certbot.

Can you migrate the entire certificate + private key perhaps?

If not, can the used ACME client do the dns-01 challenge?


Which ACME client does it use?


Rephrasing @Osiris response: The easiest way is to just copy over the Certificates and Private Keys. A fallback option is to use DNS-01.

Having done many Email Service Provider migrations though, I want to offer this bit of advice:

Many people find it beneficial to create two new DNS entries for a given domain ( and before the switchover. This allows users to connect to both systems during the DNS propagation if neded, or allows the new server to pull mail off the old server. Even with a 0 TTL, there are often layers of DNS record caching that can serve the old domain for 24-72 hours.

Usually what I do is this:

  • Set up mail-old and mail-new mail domains and SSL certificates.
  • Copy mail certificate from the old system to the new one if recently renewed. Otherwise, renew on old then copy to new.
  • Copy over mail from old to new
  • Switch over DNS for mail from old to new.
  • Set up new server for renewal; disable old server's renewal.
  • Corporate: Have a cron script migrate mail for several days
  • Personal: Check old system for a few days

The ACME protocol does not utilize CSRs as traditionally used. With most ACME clients – and in most situations – you do not want to submit or extract a CSR.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.