Webclient Dual Auth Certificator
Posted by Ondrej Vanek, Last modified by Ondrej Vanek on 27 July 2016 05:02 PM

IceWarp Webclient Dual Auth Certificator was written to automatically create client p12 password encrypted certificates for webclient dual authentication, email signing or encryption.




1) Download certificator1.tar and extract to root folder of any linux system (best with updated openssl libraries)

2) Export mail addresses and names of users via tool "./ export account *@* u_name > addresslist.csv"

3) copy addresslist.csv to root folder (replace the one as example)

4) execute ./

5) press 1 to create CA certificate "ca.cert.pem" in root folder, once the certificator is finished, execute anytime again and press 2 to create client certificates, each certificate has to have unique CN (user name generated from second parameter of addresslist.csv)

6) add generated ca.cert.pem as CA certificate in IceWarp Administration console, go to console-certificates-CA certificates -click on add button and select ca.cert.pem file

7) now go to icewarp console>web -double click the settings for webclient page>access and create a rule for requesting certificate from client while connecting to webclient

access rule

this rule is filtering dual auth for connection from outside of internal network


8) certificates are in file clientcertificates zipped with passwords for each user separately,

On client machine insert the pkcs12 certificate into users browser -settings/certificates/your certificates import (depends on browser) or import the certificate in system via certificate import wizzard.

    users can import the same p12 certificates in webclient-my details-certificates upload and webclient-options-private certificates (for sending smime signed messages and encryption)


Certificator's function:

1 Certificator will create folder CA and ca.cert.pem in root folder

2 certificator will generate client certificates separately zipped with passwords in folder clientcertificates

3 exit


note: you can edit certificator script to modify client certificates subject variables, by default there is (or delete any of them if no needed):

your_organization=IceWarp\ LTD
your_organizationunit=IceWarp\ Server


and time of client cert validity:

(CA cert is valid 1234 days - edit somwhere in the middle of the code)

 note:diacritics within user's names is supported

-feel free to modify and edit the code regarding your needs, there are commented functions for OCSP server in case you would run appache infront of icewarp and want to use certificate revocation function and ocsp server (if you know how to figure it out)

 certificator1.0.1.tar (30.00 KB)
(2 vote(s))
Not helpful

Comments (0)