Difference between revisions of "Using Your Own SSL Certificate"

Jump to: navigation, search
[unchecked revision][checked revision]
(Creating a Certificate Signing Request (CSR))
 
(36 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
== Background ==
 
== Background ==
 +
During the installation of MailStore Server, an SSL certificate is generated which all MailStore Server components use when an encrypted connection is to be established. Since the certificate is issued to the server name ''MailStoreServer'' and does not come from a reliable certification authority (CA), it is not trusted by the client side.
  
During the installation of MailStore Server, an SSL certificate is generated which MailStore Web Access/Outlook Add-In can use for access via HTTPS. Since the certificate is issued to the server name ''MailStoreServer'' and does not come from a reliable certification authority (CA), it is not trusted by the client side.
+
[[File:MScert.png|360px|center]]
 +
 +
Because of this, the following or a similar warning message is displayed when calling up MailStore Web Access via HTTPS (SSL):
  
: [[Datei:MScert.png|300px|center]]
+
[[File:MSnotrust.png|360px|center]]
 
   
 
   
Infolge dessen kommt es beim Aufruf des MailStore WebAccess über HTTPS (SSL) zu folgender Warnmeldung:
+
To eliminate warning and increase security as well as enhance usability, MailStore needs to be reconfigured to use your own certificate.
 +
 
 +
If the ''Personal'' certificate store of the ''Computer account'' does already contain the desired certificate, follow the instructions in the [[#Using_the_Certificate_with_MailStore|Using the Certificate with MailStore]] section.
 +
 
 +
== Prerequisites ==
 +
 
 +
* A trusted [[wikipedia:Certificate_authority|Certificate Authority (CA)]]
 +
* ''certreq'' tool (available on most Windows installations by default)
 +
 
 +
== Creating a New Certificate ==
 +
Unless a certificate for the host name that is to be used for accessing  MailStore Server already exists, follow the below instructions to create a new certificate and import it into Windows' certificate store.
 +
 
 +
=== Creating a Certificate Signing Request (CSR) ===
 +
The following describes how to generate a certificate signing request by using the ''certreq'' tool.
 +
 
 +
* Log on to the MailStore Server computer.
 +
* Prepare a text file <tt>request.inf</tt> with the following content:
 +
<pre>
 +
;----------------- request.inf -----------------
 +
[Version]
 +
Signature="$Windows NT$"
  
: [[Datei:MSnotrust.png|300px|center]]
+
[NewRequest]
 +
; replace Subject attributes in the line below with real values
 +
Subject = "CN=mailstoreserver.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
 +
KeySpec = 1
 +
KeyLength = 2048
 +
Exportable = TRUE
 +
FriendlyName = mailstoreserver.example.com
 +
MachineKeySet = TRUE
 +
SMIME = False
 +
PrivateKeyArchive = FALSE
 +
UserProtected = FALSE
 +
UseExistingKeySet = FALSE
 +
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 +
ProviderType = 12
 +
RequestType = PKCS10
 +
KeyUsage = 0xa0
 
   
 
   
Eine Möglichkeit besteht nun darin den Server, auf dem MailStore Server installiert ist, unter dem Hostnamen ''MailStoreServer'' erreichbar zu machen (z.B. durch Hinzufügen eines A- oder CNAME-Records im DNS) und ferner auf den Clients das Zertifikat in den Container der Vertrauenswürdigen Stammzertifizierungsstellen zu installieren. Da meist letzteres mit einem relativ hohem administrativen Aufwand verbunden ist, bietet MailStore Server die Möglichkeit, signierte Zertifikate einer eigenen Unternehmens CA oder Zertifikate eines öffentlichen Zertifikatsanbieters (bsp. VeriSign, eTrust, etc.) zu verwenden.
+
[EnhancedKeyUsageExtension]
 +
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
 +
 
 +
[Extensions]
 +
2.5.29.17 = "{text}"
 +
_continue_ = "DNS=*.example.com&"
 +
_continue_ = "DNS=mailstoreserver.example.com&"
 +
</pre>
 +
* Adjust the ''Subject'' and ''FriendlyName'' values according to your needs.
 +
* Adjust the ''Subject Alternative Names (SAN)'' in the ''[Extensions]'' section as well. Please note that the ''Common Name (CN)'' in the ''Subject'' is irrelevant for the verification by clients and that all host names must be included as SANs. Additional host names may be added with appending additional ''_continue_'' lines.
 +
* Save the file.
 +
* Open an elevated command prompt and navigate to the directory where the ''request.inf'' is stored.
 +
* Create the CSR by executing the following command:
 +
certreq -new request.inf request.csr
 +
 
 +
=== Validating the Certificate Signing Request ===
 +
To verify that the CSR is correct, execute the following command to display it in a human readable format:
 +
 
 +
certutil -dump request.csr
 +
 
 +
=== Submitting the Certificate Signing Request ===
 +
Submit the CSR to your preferred CA. Typically you upload the CSR file to a website of the CA. The CA might ask for the server platform during the submission process. Selecting ''IIS 7'' or ''None of the listed'' should be sufficient. After successful approval of the CSR, you will get the signed certificate in return.
 +
 
 +
<p class="msnote">'''Please note:''' Nowadays the certificate mostly is signed by intermediate CAs. It is required that the certificate of the intermediate CA is imported into the certificate store. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.</p>
 +
 
 +
=== Importing the Certificate ===
 +
* Open an elevated command prompt and navigate to the directory where the certificate file is stored.
 +
* Execute the following command to import the certificate into the computer's personal certificate store:
 +
 
 +
certreq -accept certificate.cer
 +
 
 +
=== Verifying the Import ===
 +
* Log on to the MailStore Server computer as administrator.
 +
* Open the ''Microsoft Management Console (MMC)''
 +
* Add the Certificate Snap-In by following these steps:
 +
** Click on ''File'' > ''Add/Remove Snap-In'' > ''Certificate'' > ''Add >''
 +
** Select ''Computer Account'' and click on ''Next >''
 +
** Select ''Local Computer'' and click on ''Finish''  
 +
** Close any open dialog windows
 +
* Click on ''Certificates (Local Computer)'' > ''Personal'' > ''Certificates''
 +
* Double-click on the previously imported certificate
 +
* Make sure that the private key for the certificate is available:
 +
 
 +
[[File:Private_key.png|center]]
 +
 
 +
==== Repairing the Certificate Store ====
 +
Sometimes the matching private key cannot be found although the certificate was imported successfully into the correct certificate store. Try to repair the certificate store as follows:
 +
 
 +
* Open an elevated PowerShell and execute the following command:
 +
 
 +
Get-ChildItem Cert:\LocalMachine\My | select Subject, Serialnumber, Thumbprint, HasPrivateKey
 +
 
 +
* Check the subjects, serialnumbers and fingerprints of the installed certificates, to identify the certificate to be used by MailStore.
 +
* Repair the corresponding certificate store by executing the following command, where ''SerialNumber'' is the serial number of the certificate that should be used.
 +
 
 +
certutil -repairstore my SerialNumber
 +
 
 +
=== Using the Certificate with MailStore ===
 +
* Open the MailStore Server Service Configuration.
 +
* Select ''IP Addresses and Ports''.
 +
* In the section you want to change to certificate for, click on the button next to the ''Server Certificate'' field and select ''Select from Certificate Store...''
 +
* Choose the new certificate from the certificate store.
 +
* Confirm your selection and restart the MailStore Server service.
 +
 
 +
== Importing an Existing Certificate ==
 +
Typically certificates are exchanged between computers by means of Personal Information Exchange (PFX/P12) containers. These can, for example, be created using the export functions of the MMC Snap-In ''Certificates''.
 +
 
 +
=== Optional: Creating a PFX Container with OpenSSL/LibreSSL ===
 +
When the original CSR was not created with Windows' own tools or not even created on a Windows computer, it is unlikely that the private key or the vertificate is available in Windows' certificate store of the MailStore Server computer, but on stored on the file system instead.
  
Um MailStore Server für die Verwendung eines eigenes Zertifikats zu konfigurieren, gehen Sie wie im Folgenden beschrieben vor.
+
In this case, a Personal Information Exchange (PFX) container need to be created first. This needs to contain the certificate, private key, and all certificates of the certificate chain. After that, the PFX container can by imported into Windows' certificate store.
  
== Installieren des Zertifikats ==
+
The following steps need to be executes to convert the certificate files into a PFX container with OpenSSL or LibreSSL:
  
* Melden Sie sich am Server als Administrator an.
+
* Copy the certificate, private key and the certificates of the certificate chain into the OpenSSL or LibreSSL directory.
* Klicken Sie ''Start | Ausführen''.
+
* Open an elevated command prompt and navigate to this directory.
* Führen Sie den Befehl ''mmc'' aus.
+
* Create the PFX container by executing the following command, adjust the file names of necessary:
* Wählen Sie nun ''Datei | Snap-In hinzufügen/entfernen | Hinzufügen | Zertifikate''.
+
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
* Wählen Sie in der nun folgenden Auswahl ''lokales Computerkonto'' und anschließend ''lokaler Computer''.
 
* Schließen Sie die Auswahl über ''Fertigstellen'' ab und schließen Sie die noch offenen Dialoge.
 
* Wählen Sie in der Management Konsole ''Eigene Zertifikate | Zertifikate''.
 
* Klicken Sie auf mit der rechten Maustaste auf den Ordner ''Zertifikate'' und wählen Sie ''Alle Aufgaben | Importieren''.
 
* Folgen Sie den Anweisungen des Assistenten und wählen Sie die Datei aus, welche das Zertifikat und ggf. den privaten Schlüssel enthält.
 
* Wählen Sie auf der Seite ''Zertifikatsspeicher'' den Container ''Eigene Zertifikate'' aus und schließen Sie den Assistenten anschließend ab.
 
* Das Zertifikat wird nun im Container ''Eigene Zertifikate'' angezeigt.
 
* Zur Kontrolle öffnen Sie das Zertifikat über einen Doppelklick und vergewissern Sie sich, dass Sie über den privaten Schlüssel für das Zertifikat verfügen.
 
  
: [[Datei:Private_key.png|300px|center]]
+
=== Importing a PFX container ===
 +
* Open the MailStore Server Service Configuration.
 +
* Select ''IP Addresses and Ports''.
 +
* In the section you want to change to certificate for, click on the button next to the ''Server Certificate'' field and select ''Import from file...''
 +
* Choose the PFX file.
 +
* If the PFX file has been password protected, you are being ask to provide the password now.
 +
* Confirm your selection and restart the MailStore Server service.
  
== Das Zertifikat mit MailStore Server verwenden ==
+
== Weblinks ==
 +
* [https://technet.microsoft.com/en-us/library/dn296456.aspx Microsoft Technet: Certreq]
 +
* [https://technet.microsoft.com/en-us/library/cc732443.aspx Microsoft Technet: Certutil]
 +
* [https://technet.microsoft.com/de-de/library/ff625722.aspx Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name]
 +
* [https://www.libressl.org/ LibreSSL]
 +
* [https://www.openssl.org/docs/apps/openssl.html OpenSSL Documentation]
  
* Öffnen Sie nun die MailStore Server Basiskonfiguration.
+
[[de:Verwendung_eigener_SSL_Zertifikate]]
* Wählen Sie den Punkt ''Web Access/Outlook Addin'' und klicken Sie auf ''HTTP/HTTPS-Zugriff konfigurieren''.
+
[[en:Using Your Own SSL Certificate]]
* Klicken Sie auf ''Zertifikat auswählen'' und wählen Sie das neue Zertifikat aus.
 
* Bestätigen Sie die Eingaben und starten Sie abschließend den MailStore Server Dienst neu.
 

Latest revision as of 11:08, 16 July 2018

Background

During the installation of MailStore Server, an SSL certificate is generated which all MailStore Server components use when an encrypted connection is to be established. Since the certificate is issued to the server name MailStoreServer and does not come from a reliable certification authority (CA), it is not trusted by the client side.

MScert.png

Because of this, the following or a similar warning message is displayed when calling up MailStore Web Access via HTTPS (SSL):

MSnotrust.png

To eliminate warning and increase security as well as enhance usability, MailStore needs to be reconfigured to use your own certificate.

If the Personal certificate store of the Computer account does already contain the desired certificate, follow the instructions in the Using the Certificate with MailStore section.

Prerequisites

Creating a New Certificate

Unless a certificate for the host name that is to be used for accessing MailStore Server already exists, follow the below instructions to create a new certificate and import it into Windows' certificate store.

Creating a Certificate Signing Request (CSR)

The following describes how to generate a certificate signing request by using the certreq tool.

  • Log on to the MailStore Server computer.
  • Prepare a text file request.inf with the following content:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
; replace Subject attributes in the line below with real values
Subject = "CN=mailstoreserver.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = mailstoreserver.example.com
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
 
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=*.example.com&"
_continue_ = "DNS=mailstoreserver.example.com&"
  • Adjust the Subject and FriendlyName values according to your needs.
  • Adjust the Subject Alternative Names (SAN) in the [Extensions] section as well. Please note that the Common Name (CN) in the Subject is irrelevant for the verification by clients and that all host names must be included as SANs. Additional host names may be added with appending additional _continue_ lines.
  • Save the file.
  • Open an elevated command prompt and navigate to the directory where the request.inf is stored.
  • Create the CSR by executing the following command:
certreq -new request.inf request.csr

Validating the Certificate Signing Request

To verify that the CSR is correct, execute the following command to display it in a human readable format:

certutil -dump request.csr

Submitting the Certificate Signing Request

Submit the CSR to your preferred CA. Typically you upload the CSR file to a website of the CA. The CA might ask for the server platform during the submission process. Selecting IIS 7 or None of the listed should be sufficient. After successful approval of the CSR, you will get the signed certificate in return.

Please note: Nowadays the certificate mostly is signed by intermediate CAs. It is required that the certificate of the intermediate CA is imported into the certificate store. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.

Importing the Certificate

  • Open an elevated command prompt and navigate to the directory where the certificate file is stored.
  • Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer

Verifying the Import

  • Log on to the MailStore Server computer as administrator.
  • Open the Microsoft Management Console (MMC)
  • Add the Certificate Snap-In by following these steps:
    • Click on File > Add/Remove Snap-In > Certificate > Add >
    • Select Computer Account and click on Next >
    • Select Local Computer and click on Finish
    • Close any open dialog windows
  • Click on Certificates (Local Computer) > Personal > Certificates
  • Double-click on the previously imported certificate
  • Make sure that the private key for the certificate is available:
Private key.png

Repairing the Certificate Store

Sometimes the matching private key cannot be found although the certificate was imported successfully into the correct certificate store. Try to repair the certificate store as follows:

  • Open an elevated PowerShell and execute the following command:
Get-ChildItem Cert:\LocalMachine\My | select Subject, Serialnumber, Thumbprint, HasPrivateKey
  • Check the subjects, serialnumbers and fingerprints of the installed certificates, to identify the certificate to be used by MailStore.
  • Repair the corresponding certificate store by executing the following command, where SerialNumber is the serial number of the certificate that should be used.
certutil -repairstore my SerialNumber

Using the Certificate with MailStore

  • Open the MailStore Server Service Configuration.
  • Select IP Addresses and Ports.
  • In the section you want to change to certificate for, click on the button next to the Server Certificate field and select Select from Certificate Store...
  • Choose the new certificate from the certificate store.
  • Confirm your selection and restart the MailStore Server service.

Importing an Existing Certificate

Typically certificates are exchanged between computers by means of Personal Information Exchange (PFX/P12) containers. These can, for example, be created using the export functions of the MMC Snap-In Certificates.

Optional: Creating a PFX Container with OpenSSL/LibreSSL

When the original CSR was not created with Windows' own tools or not even created on a Windows computer, it is unlikely that the private key or the vertificate is available in Windows' certificate store of the MailStore Server computer, but on stored on the file system instead.

In this case, a Personal Information Exchange (PFX) container need to be created first. This needs to contain the certificate, private key, and all certificates of the certificate chain. After that, the PFX container can by imported into Windows' certificate store.

The following steps need to be executes to convert the certificate files into a PFX container with OpenSSL or LibreSSL:

  • Copy the certificate, private key and the certificates of the certificate chain into the OpenSSL or LibreSSL directory.
  • Open an elevated command prompt and navigate to this directory.
  • Create the PFX container by executing the following command, adjust the file names of necessary:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Importing a PFX container

  • Open the MailStore Server Service Configuration.
  • Select IP Addresses and Ports.
  • In the section you want to change to certificate for, click on the button next to the Server Certificate field and select Import from file...
  • Choose the PFX file.
  • If the PFX file has been password protected, you are being ask to provide the password now.
  • Confirm your selection and restart the MailStore Server service.

Weblinks

Navigation
Tools
Print/export
About MailStore

  • MailStore Server is one of the leading email archiving solutions for SMB.
  • For private use there is a free tool for email archiving furthermore: MailStore Home.