How to Choose Server Certificate

Server certificate has two functions: to encrypt data, and confirm, that your server is "whoever it says it is".

For the data encryption, it is enough to have a Self-signed Certificate but to prove server identity, you need to obtain a certificate from a Certificate Authority.

Self-signed certificates will work, but they will be not enough for servers, communicating with your server. They will need to be sure, that your server is who it claims to be, and your server claims to be whatever is the value of the Local Host field at Settings - Options - General.. It should be a fully qualified domain name, something like mail.mydomain.com.

The same name, mail.mydomain.com, should be given to users as SMTP, IMAP (or POP3) server address and the same name should be listed as an MX record for domains your server serves.

We will need to obtain a certificate associated with the identity of your server, mail.mydomain.com. And, we should understand, that identity of our server has nothing to do with the domains it serves, domains, listed on the Domains & Users tab on your Mail Server UI.

Steps for Obtaining the Server Certificate

There are multiple ways of obtaining the certificate. We will give an example of doing it at ssls.com.

Let's assume, we are ordering the certificate for mail.mydomain.com. Before we begin, we will have to ensure that the account admin@mydomain.com exists, and is accessible, because we will need to prove to SSL, that the domain mydomain.com belongs to us. An email will be sent to that address, and we will need to follow instructions there to validate that we own the domain.

• Create an account at ssls.com, if you don't have one, and log in.
• Select PositiveSSL. There is no need to select the certificate which also validates your organization. Of course, those stronger certificates will work too, but we just need to validate our domain, not an organization;
• Follow the instructions. Select that you are willing to create a certificate request in the browser. Then, download the zip file, which contains your private key. The file will be named mail_mydomain_com.zip. It will contain a single file, mail_mydomain_com_key.txt. Unzip it, and place in folder C:\Cert;
• At some point, you will be prompted that you need to validate that the domain mydomain.com belongs to you. Select, that you are willing to validate via email, and request the email to be sent to admin@mydomain.com;
• When the email arrives, follow the instructions, go to the provided link, and enter provided validation code;
• After a few minutes, you will receive another email to an account, associated with your SSLS.com account. It will have an attachment - a zip file mail_mydomain_com.zip, containing two files: mail_mydomain_com.crt and mail_mydomain_com-bundle. We don't need the "bundle" file. Extract the file mail_mydomain_com.crt into the same folder, where you extracted the private key (C:\Cert);
• RENAME the file mail_mydomain_com_key.txt in C:\Cert to mail_mydomain_com.key;
• From the command prompt, go to the folder C:\Cert, and execute the following command:

                    Certutil -mergepfx mail_mydomain_com.crt mail_mydomain_com.pfx
                  

  You will be prompted to create a password, and confirm it;
• Now, you can import the certificate into the windows store and use it in your mail server from the store, or use the pfx file directly.