This is the entire process from CSR generation to installing the CRT with all trusted intermediate certs so that your connection is a good as possible.
The primary reason for this article is due to issues that Google Gmail has with remote POP mail checking if the SSL and all Intermediate Certs aren’t installed.
Note: This applicable for Kerio Mailserver 6.X and earlier. I cannot verify if it 100% works with 7.0 or newer.
Generating the new CSR Certificate Signing Request from Kerio
- download the Kerio SSL tool here
- extract that file to a new directory off your C:\ root, something easy like “C:\SSL”
- inside the Kerio interface, go to the SSL Certs config page and
- New->New Certificate Request
- complete it and make sure your hostname is your full domain name to be protected by the SSL, eg “mail.yourdomainname.com”
- save this file into the new directory above.
- Run the following command from a command line. Feel free to change the bits if needed. We only use 4096
- openssl genrsa -out server.key 4096
- This will output a file called “server.key”
- Run the following command:
- openssl req -new -days 365 -key server.key -out server.csr -config openssl.cfg
- That will generate a file called “server.csr”. You will need this for Godaddy, Comodo or wherever you get the SSL cert
Buy a new SSL and use the “server.csr” file to process it.
Handling the installation of your new CRT and installing intermediate keys as well.
- extract the zip file with your new CRT file into the directory above
- you will need to locate and download the “intermediate certificates” for your SSL if they do not already come inside the zip file. In my case, we had an “Comodo Instant SSL” and inside it there was our domain CRT file and a second file “mail_mydomainname_com.ca-bundle”. I used the contents of this “ca-bundle” file for my needs.
- using a text editor like “Ultraedit” or “Notepad++” (NOTE: DON’T USE NOTEPAD., open the .CRT file.
- Copy it
- paste it into a new blank document
- open the additional file(s)
- Paste them directly below your .CRT file text, into the text file. If there is more than one past them back to back to back in the file. Note: your domain CRT must be the first one, followed by the Int. certs.
- Save the file. Call it something mydomainname with extras.CRT
- open Kerio
- SSL Certs
- Import New Cert
- first it will ask for the KEY file you generated in the first section above. locate that file and open it
- second it will be looking for our new combined CRT file that we just did in this section above.
- once it imports, select the new cert as the active cert
- restart kerio mailserver
- go to this site and run a test on your domainname.
- if you’ve done everything properly, you should have all “Green Checkmarks” and a clean bill of health on your domain name.