Use a signed SSL certificate

From The Network People, Inc. - Wiki
Jump to navigation Jump to search

Mail Toaster provides your clients with a number of ways to send and receive their emails securely. The good news is that all those security features are enabled by default. Unfortunately, all the SSL certificates are unsigned. If you have your own CA (Certificate Authority) you can self-sign the certificates and then install your CA cert in all your users browsers/email clients. That is one way to prevent them from getting the "invalid certificate" errors every time they securely check their mail.

The other way is to purchase a signed SSL certificate. After you get your new SSL certificate, it must be installed separately for the POP3-SSL, IMAP-SSL, HTTPS, and SMTP-TLS servers.

Installing the signed certificate consisted of: 

cat /path/to/ssl/cert.key > /var/qmail/control/servercert.pem
cat /path/to/ssl/cert.crt >> /var/qmail/control/servercert.pem
cat /path/to/ssl/intermediary_cert.crt >> /var/qmail/control/servercert.pem

cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
chown vpopmail:vchkpw /var/qmail/control/servercert.pem
chown qmaild /var/qmail/control/clientcert.pem
chmod 400 /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
qmail restart

cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem
cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem
imapssl stop
imapssl start
pop3ssl stop
pop3ssl start

That's all I had to do.... other than reconfigure my email client to connect on the host name that my "real" cert uses, and it works like a charm.

Types of SSL certificates

There are various types of certificates available. The best certificates are single root certificates, meaning that their are no chains between their certificate and the root CA. These certificates work pretty much everywhere.

The other common type is a chained certificate. These certs come packaged with several additional certificates which must all be installed. Some servers do not support chained certificates, and even if the server does, the clients may not be capable of validating the chain. These chained certificates can often be purchased quite cheap (less than $50).

If the certificate doesn't say what type it is, it is chained. Avoid it and get a single root cert.

Certificates Known to work

QuickSSL by GeoTrust - order from TNPI store ($140) - M. Simerson
RapidSSL - by GeoTrust - order from TNPI store ($60) - M. Simerson
SSL123 - by Thawte ($150) - R. Minch. Buy it from Dotster instead for $35.

Certificates Known to NOT work

InstantSSL - by Comodo ($80/yr, chained) - M. Simerson - Works with Dovecot & Apache (both support chained certs). Does not work with courier-imap or qmail.


Interesting Certificates

Turbo SSL by GoDaddy - $20 - M. Simerson - a double-chained certificate. Requires TWO chain files. Works with Apache 2 but requires extra config options: 

# www.tnpi.net GoDaddy cert (2007-2017)
SSLCertificateFile      certs/www.tnpi.net.crt
SSLCertificateKeyFile   certs/www.tnpi.net.key
SSLCertificateChainFile certs/www.tnpi.net.crt.intermediate
SSLCACertificateFile    certs/www.tnpi.net.crt.intermediate_cross

I haven't invested the time to see if I can get it working with dovecot, courier-imap, and qmail. My initial guess is, probably not.


Jerm - I use GoDaddy Certs exclusively and they work fine with my entire toaster setup:

  • apache2 - works by using the gd_intermediate_bundle (near the bottom). Apache works great configured as if it was a single chain, ie: SSLCertificateChainFile only
  • qmail - I included the GD bundle certs at the end of my servercert.pem file and that works like a charm
  • courier - my imap and pop3 ssl configs point to my qmail servercert.pem and work swimmingly.
Retrieved from "https://www.tnpi.net/w/index.php?title=Use_a_signed_SSL_certificate&oldid=2567"