Knowledgebase:
Certificate Management under IceWarp server
Posted by Milan Sykora, Last modified by Milan Sykora on 21 June 2016 12:59 AM

Certificate Management under IceWarp server

 

The most used word shipping today is: security. IceWarp server of course offers the highest standards in this area. This document covers the best practices about server certificates useable in that software however it doesn’t cover the client side certificates and encryption of messages. Asymmetric cryptography uses public and private key pair exchange to sign and/or encrypt data and it underlines the internet standards as SSL or its successor TLS. Certificates are usually issued by Certificate Authority (CA) but in default IceWarp server utilizes his own self-signed certificate for secure transfers as HTTPS, SMTPS and others. But you can of course your own.

CA Certificates

SSL Certificates

 

In the Administration console you can find CA certificates Tab. Because IceWarp server doesn’t use Windows certificate store you can add the certificates you want to trust here.

How to install SSL certificate

How to install SSL certificate

 

 

The following steps will walk an Icewarp Administrator through the proper steps to set up a unique SSL certificate from a trusted Certification Authority, which will allow the server to utilize the SSL Functions. Although these instructions will use a Free Trial certificate as an example, they will also work for implementing paid certificates as well.

This part of tutorial uses the well known Certificate Authority VeriSign, but most Certificate Authorities, such as Thawte and GeoTrust, also have free trial certificates. The only difference will be the ordering process. A free Trial SSL Certificate from VeriSign has a 14 day validity period. This should be plenty of time to evaluate its use on the Icewarp Server, and to familiarize yourself with the broader issues of SSL certificates.

There are 4 steps to get a signed certificate and install it on the Icewarp Server:

Generating a CSR (Certificate Signing Request) and Private Key.

Sending the CSR to the CA (Certificate Authority, VeriSign in this tutorial).

Merge the signed Certificate from the CA with the Private Key.

Installing the merged certificate onto the Icewarp Server.

 

  1. Generating CSR (Certificate Signing Request) and Private Key.

Open the Icewarp Administration console and go to the [System] [Certificates] "Server Certificates" tab.

Press "Create CSR / Server Certificate…" and complete all fields in the form.

 

  • Common name will be your mail servers hostname. (in this case it will be mail.icewarpdemo.com)

  • Check the box "Certificate Signature Request (CSR)" - otherwise the Icewarp Server will generate a self-signed certificate instead of the CSR.

  • Press OK and choose the destination for your certificate request file.

  1. Send the CSR to a CA (Certification Authority - VeriSign in this tutorial)

The CSR that was generated now gets sent to a Certificate Authority. The CA will check the request, digitally sign it with their certificate, and send it back. Because we are only requesting the Free Trial the checking procedure is simple and the signed certificate will be send back promptly. When you are buying a "real" certificate the checking procedure is more detailed, as proof of domain ownership will need to be proven.

To follow this tutorial, and use the free trial certificate you can go to the VeriSign page and follow their wizard. (Or it is possible at this step to generate a paid certificate and continue on when it has been returned.)

When requesting a certificate it will be necessary to use a real e-mail address as the certificates will be sent to that contact information. When you are asked for your CSR you should cut and paste the content of the cert.csr file that was generated in step 1. This file can be opened with any text-based editor (such as notepad).

Confirm the information provided and the signed certificate will be sent to the email address provided.

Save this certificate to a new .pem file. (signedprivatekey.pem for this demonstration)

  1. Merging the Signed Certificate from Certificate Authority with your Private Key

The email message sent to you from support@verisign.com will contain information on what to do next. The Verisign certificates will need to be installed into the servers browser.
Follow this link . Copy and paste the certificate into the file trialroot.crt.

For a Windows/IE browser double-click the certificate to install it. For a Firefox browser go to the Tools, Options, Advanced, Encryption, View certificates, Import. (Drop down menus in Firefox).

Once done all certificates signed by Verisign's Trial Certificate Authority will be considered as trusted by the browser. (This step is not necessary when a non-trial certificate has been purchased).

To merge the Private Key and signed certificate from Verisign into a destination file a third .pem file will need to be created. This demo will use mycert.pem as the filename.

  • private key - private.pem

  • signed key - signedkey.pem

On command line run - "copy private.pem+signedkey.pem mycert.pem"

Mycert.pem is now the certificate file that can be imported into Icewarp. It contains both the private key and the Certificate information from the CA.

Above: example of mycert.pem file.

Note1: You can of course merge your root certificate into the chain to propagate it to the clients. In that case run "copy private.pem+signedkey.pem+trialroot.crt mycert.pem"

Note2: Some CA (like Comodo) uses intermediate CA - an another certificate. In such case you need to join all these 3 (or more) certificates in the correct order - Private, Signed Public, Intermediate(s) and root (optionally) together - "copy private.pem +signedkey.pem+intermediate.pem+trialroot.crt mycert.pem"

  1. Installing the merged certificate in Icewarp

Once the mycert.pem file is created it needs to be imported into the Icewarp Server. Open the Administration GUI and go to [System] [Certificates] Server Certificates tab and click the Add button.

 

Insert the IP address that this certificate is intended for. This will be the IP address that the Icewarp users are directed to when they access this server.

Insert the fully qualified name of the certificate file (full path to where the file is being stored. It is suggested that the certificate be stored in the \Icewarp\config directory).

To apply the new certificate a restart the Web/Control service is necessary.

To Test this new certificate open up a browser and go to https://mail.yourdomain.com/webmail. Be sure to use s https instead of http. The default SSL port is 443 or optionally 32001.

  1. Troubleshooting and tips.

I cannot connect to the https port but http works well after restart.”

This is probably caused by error in certificate chain. You can use OpenSSL tools to verify your certificate and private key. Download it from http://www.slproweb.com/products/Win32OpenSSL.html (Windows) or use your installer for Linux package.

 

Install it and run form commadline: “openssl s_client –connect remotehost:port” where remotehost is your IP address and port is SSL port of your web service (usually 443).

You will get the list of certificates sent from server like this:

C:\OpenSSL\bin>openssl s_client -connect icewarp.com:443 Loading 'screen' into random state - done CONNECTED(00000168) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust Externa l CA Root verify error:num=19:self signed certificate in certificate chain verify return:0---Certificate chain 0 s:/C=US/postalCode=22150/ST=VA/L=Springfield/streetAddress=Suite 310/streetAd dress=6506 Loisdale Road/O=IceWarp, Inc./OU=Secure Link SSL Wildcard/CN=*.icewar p.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrus t.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrus t.com/CN=UTN-USERFirst-Hardware

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C A Root---Server certificate

-----BEGIN CERTIFICATE-----

MIIEfzCCAucCBMO/j88wDQYJKoZIhvcNAQELBQAwgYMxCzAJBgNVBAYTAkNZMRAw

DgYDVQQHDAdQcmFoYSAyMSIwIAYDVQQKDBlJY2VXYXJwIFRlY2hub2xvZ3kgcy5y

Lm8uMRswGQYDVQQDDBJ0ZXN0LWRvbWFpbi5jb20ueHkxITAfBgkqhkiG9w0BCQEW

Em5vcmVwbHlAaWNld2FycC5ldTAeFw0xNjAyMTkwODQ5NDZaFw0xNzAyMTgwODQ5

NDZaMIGDMQswCQYDVQQGEwJDWTEQMA4GA1UEBwwHUHJhaGEgMjEiMCAGA1UECgwZ

SWNlV2FycCBUZWNobm9sb2d5IHMuci5vLjEbMBkGA1UEAwwSdGVzdC1kb21haW4u

Y29tLnh5MSEwHwYJKoZIhvcNAQkBFhJub3JlcGx5QGljZXdhcnAuZXUwggGiMA0G

CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCswLDtAK1DuG0XGqlni3EyFrGyHifI

qcYzPAGOoPMS10EBGCetfl6OWmHdG8hZAHf8iOe5XqjMrGbTlL4JCYeHrZ2+Wkk2

1ubJy4GYiwhklEk0MrrqgHh7JA42dcwkbmTN97ZL7st2jPWeBje4AattWVUBLXia

BhBy7vXxJoV9mtwNZVvE/0h57II1JVza8fdohSu9AXFmRxxOnl+P2+GvR7OmA85l

ZEMrE00VhGJ8YvCq/DGEwUVqZUilGMOhET7LlLoe87ZYZKzBs6DZSWm9Ezoj6ogb

pBk8lKMSEzqGf9Xec3I7N/Iaodd72aRGxituLwjmEh0VSEMaEwr+RvOTrbkGSXy8

c+Dio2LL0REUsZ0kdSWIOiII9cVmr7NpwH0Y7sZUPPrVwnp8BdJycgJufb4cW3Iq

0b/hUQW/SQQfq4QmtaPN5WVEYfRle0+MooMyzMeJd9TECwxH1tel3CJDfC+6IGRW

gk0Q+gq0OUAM69vCTsrQMFPbR/WNgxmy2V8CAwEAATANBgkqhkiG9w0BAQsFAAOC

AYEAn4TqmMbsFFnw42J9WVcmuQvOTGngrEUyLT0fvDbqr7r9zhQCG+1Yv5OXimka

ZdocJrIolyFWEjgt9EXptV0BNC/unkw/SjBKnXUK5aK5GNx9lll3TPH2TeVPXU/a

yH2eBNYBtZ90v3UnLMoTGm6CChZ5bGJMAleohS7tDozG8zAGviiujgQzyBnOw/aN

nPZvkEFrUUqK9Y0BgmB8IOklttRIxJpTH2fYQehw5SjmUdJvBBRoHs+visGr0rXU

iraW1r6Eiu4i9MLw8cbyi4mf3G3lT7Q5fONX/2QmH4dmfQn736Qb6E0Q/nTgDOI2

cD6dfTtS8k3nOYpF6zjhoMhYtRdMAv77TMKce1IMwdGuWLFPY1WD1jge0YJTV0vm

Zb8Djj9M/QcZvJDU1IDFlZfkH+0fRmSvQ+/rZPF/6WC96LWF/LIBNlm5OiCkc94Q

dB+tuaSAn1fUhmLrTsifN2WMkLYurNnc0Kz9Pqyb8I65siu2PCKpYdQVw7yfo1wT

n6aY

-----END CERTIFICATE-----

subject=/C=US/postalCode=22150/ST=VA/L=Springfield/streetAddress=Suite 310/stree tAddress=6506 Loisdale Road/O=IceWarp, Inc./OU=Secure Link SSL Wildcard/CN=*.ice warp.com issuer=/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authori ty Page 1

Untitled

---No client certificate CA names sent---SSL handshake has read 4827 bytes and written 322 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: F345AD3B859E5DF169B5EB8D4D048C172B07B2C63FE7893E47BA6A01D6F5448A 2278CC8363080F170C97AD0388FB38EA Key-Arg : None Start Time: 1287748791 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)

If you are unsure if your public and private match you can use OpenSSL tools too. Just split your private key and certificate to separate files (let’s say private.key and public.pem) and run these commands:

openssl rsa -noout -modulus -in private.key | openssl md5”

openssl x509 -noout -modulus -in server.pem | openssl md5”

 

You shout get two numbers (md5 hash of modulus part exactly). If these numbers match you have almost 100% certainty that you have a correct pair.  

 

(2 vote(s))
Helpful
Not helpful

Comments (0)