Briefly about Certificates

You will need certificates, if you want to use SSL/TLS connections with our server.

Our mail server can use certificate either from password protected pfx file, or Local Machine certificate store. PFX files seem to work more reliably, because when using certificates from store, sometimes the mail server is having trouble locating private key.

Certificates serve two purposes: encrypt data, and identify your server.

You can create the certificate, which does just data encryption yourself. These are called Self Signed Certificates. To create one using OpenSSL, execute the following command:

    openssl req -new -x509 -days 365 -out -mycert.pem -keyout mycert.pem
    

When prompted, you will have to provide the information about your organization, which will be included in the certificate.

It will create a self-signed certificate in PEM format. To convert it into a PFX file for direct use with mail server, or to import it into the certificate store, execute the following command:

    openssl pkcs12 -export -out mycert.pfx -inkey mycert.pem -in mycert.pem
    

Resulting pfx file can be used with mail server, and specifying it from the Security - Server Certificate menu will allow you to enable STARTTLS options for SMTP, POP3 and IMAP.

But, self-signed certificates will provide only encyption, and will cause prompts to remote users that the certificate you are using is suspicious, because it is not signed by certificate authority, and there is no guarantee that your server is the one it claims to be...

More reliable certificate may be obtained from a certificate authority, and it normally costs $$$.

When obtaining the certificate I use with my server mail.argosoft.com, I used GeoTrust, which seems to be partnering my DNS provider EasyDns. It cost me $99.00 for a year.

First, I created certificate request using open ssl:

    openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
    

I was prompted about the information about my domain name and company, the similar way as above, when creating a self signed certificate.

Then, I copied and pasted the content of myreq.pem file into the web page provided by EasyDNS, and submitted it to GeoTrust. GeoTrust signed it and returned a "final" certificate. I placed the data between:

    ----BEGIN CERTIFICATE----
    ----END CERTIFICATE----
    

including the tags above into the file mail_argosoft_com_ee.crt into the same folder, where I kept mykey.pem and myreq.pem files, and created PFX file using the following command:

    openssl pkcs12 -export -out mail_argosoft_com.pfx -inkey mykey.pem -in mail_argosoft_com_ee.crt
    

Was prompted for password. Resulting PFX file is ready to be used with mail server.

Mail Server Home

ArGoSoft Home