Certificate Management under IceWarp server
Posted by Milan Sykora, Last modified by Milan Sykora on 21 June 2016 12:59 AM
Certificate Management under IceWarp server
The most used word shipping today is: security. IceWarp server of course offers the highest standards in this area. This document covers the best practices about server certificates useable in that software however it doesn’t cover the client side certificates and encryption of messages. Asymmetric cryptography uses public and private key pair exchange to sign and/or encrypt data and it underlines the internet standards as SSL or its successor TLS. Certificates are usually issued by Certificate Authority (CA) but in default IceWarp server utilizes his own self-signed certificate for secure transfers as HTTPS, SMTPS and others. But you can of course your own.
In the Administration console you can find CA certificates Tab. Because IceWarp server doesn’t use Windows certificate store you can add the certificates you want to trust here.
How to install SSL certificate
The following steps will walk an Icewarp Administrator through the proper steps to set up a unique SSL certificate from a trusted Certification Authority, which will allow the server to utilize the SSL Functions. Although these instructions will use a Free Trial certificate as an example, they will also work for implementing paid certificates as well.
This part of tutorial uses the well known Certificate Authority VeriSign, but most Certificate Authorities, such as Thawte and GeoTrust, also have free trial certificates. The only difference will be the ordering process. A free Trial SSL Certificate from VeriSign has a 14 day validity period. This should be plenty of time to evaluate its use on the Icewarp Server, and to familiarize yourself with the broader issues of SSL certificates.
There are 4 steps to get a signed certificate and install it on the Icewarp Server:
Generating a CSR (Certificate Signing Request) and Private Key.
Sending the CSR to the CA (Certificate Authority, VeriSign in this tutorial).
Merge the signed Certificate from the CA with the Private Key.
Installing the merged certificate onto the Icewarp Server.
Open the Icewarp Administration console and go to the [System] [Certificates] "Server Certificates" tab.
Press "Create CSR / Server Certificate…" and complete all fields in the form.
The CSR that was generated now gets sent to a Certificate Authority. The CA will check the request, digitally sign it with their certificate, and send it back. Because we are only requesting the Free Trial the checking procedure is simple and the signed certificate will be send back promptly. When you are buying a "real" certificate the checking procedure is more detailed, as proof of domain ownership will need to be proven.
To follow this tutorial, and use the free trial certificate you can go to the VeriSign page and follow their wizard. (Or it is possible at this step to generate a paid certificate and continue on when it has been returned.)
When requesting a certificate it will be necessary to use a real e-mail address as the certificates will be sent to that contact information. When you are asked for your CSR you should cut and paste the content of the cert.csr file that was generated in step 1. This file can be opened with any text-based editor (such as notepad).
Confirm the information provided and the signed certificate will be sent to the email address provided.
Save this certificate to a new .pem file. (signedprivatekey.pem for this demonstration)
The email message sent to you from email@example.com will contain information on what to do next. The Verisign certificates will need to be installed into the servers browser.
For a Windows/IE browser double-click the certificate to install it. For a Firefox browser go to the Tools, Options, Advanced, Encryption, View certificates, Import. (Drop down menus in Firefox).
Once done all certificates signed by Verisign's Trial Certificate Authority will be considered as trusted by the browser. (This step is not necessary when a non-trial certificate has been purchased).
To merge the Private Key and signed certificate from Verisign into a destination file a third .pem file will need to be created. This demo will use mycert.pem as the filename.
On command line run - "copy private.pem+signedkey.pem mycert.pem"
Mycert.pem is now the certificate file that can be imported into Icewarp. It contains both the private key and the Certificate information from the CA.
Above: example of mycert.pem file.
Note1: You can of course merge your root certificate into the chain to propagate it to the clients. In that case run "copy private.pem+signedkey.pem+trialroot.crt mycert.pem"
Note2: Some CA (like Comodo) uses intermediate CA - an another certificate. In such case you need to join all these 3 (or more) certificates in the correct order - Private, Signed Public, Intermediate(s) and root (optionally) together - "copy private.pem +signedkey.pem+intermediate.pem+trialroot.crt mycert.pem"
Once the mycert.pem file is created it needs to be imported into the Icewarp Server. Open the Administration GUI and go to [System] [Certificates] Server Certificates tab and click the Add button.
Insert the IP address that this certificate is intended for. This will be the IP address that the Icewarp users are directed to when they access this server.
Insert the fully qualified name of the certificate file (full path to where the file is being stored. It is suggested that the certificate be stored in the \Icewarp\config directory).
To apply the new certificate a restart the Web/Control service is necessary.
To Test this new certificate open up a browser and go to https://mail.yourdomain.com/webmail. Be sure to use s https instead of http. The default SSL port is 443 or optionally 32001.
“I cannot connect to the https port but http works well after restart.”
This is probably caused by error in certificate chain. You can use OpenSSL tools to verify your certificate and private key. Download it from http://www.slproweb.com/products/Win32OpenSSL.html (Windows) or use your installer for Linux package.
Install it and run form commadline: “openssl s_client –connect remotehost:port” where remotehost is your IP address and port is SSL port of your web service (usually 443).
You will get the list of certificates sent from server like this:
C:\OpenSSL\bin>openssl s_client -connect icewarp.com:443 Loading 'screen' into random state - done CONNECTED(00000168) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust Externa l CA Root verify error:num=19:self signed certificate in certificate chain verify return:0---Certificate chain 0 s:/C=US/postalCode=22150/ST=VA/L=Springfield/streetAddress=Suite 310/streetAd dress=6506 Loisdale Road/O=IceWarp, Inc./OU=Secure Link SSL Wildcard/CN=*.icewar p.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrus t.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrus t.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root---Server certificate
subject=/C=US/postalCode=22150/ST=VA/L=Springfield/streetAddress=Suite 310/stree tAddress=6506 Loisdale Road/O=IceWarp, Inc./OU=Secure Link SSL Wildcard/CN=*.ice warp.com issuer=/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authori ty Page 1
---No client certificate CA names sent---SSL handshake has read 4827 bytes and written 322 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: F345AD3B859E5DF169B5EB8D4D048C172B07B2C63FE7893E47BA6A01D6F5448A 2278CC8363080F170C97AD0388FB38EA Key-Arg : None Start Time: 1287748791 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
If you are unsure if your public and private match you can use OpenSSL tools too. Just split your private key and certificate to separate files (let’s say private.key and public.pem) and run these commands:
“openssl rsa -noout -modulus -in private.key | openssl md5”
“openssl x509 -noout -modulus -in server.pem | openssl md5”
You shout get two numbers (md5 hash of modulus part exactly). If these numbers match you have almost 100% certainty that you have a correct pair.