Blog

There are many compelling reasons to use SSL wherever possible on your server. We use and deploy Kerio MailServer quite frequently and there is extensive support for SSL certificates built into the product.

By default Kerio MailServer generates a self-signed certificate the first time it is setup. A self-signed certificate is good enough for some types of secure connections and does ensure that communications to and from the server are encrypted, but in many situations you will get errors stating that the certificate is not trusted because it has not been signed by a certificate authority. In short, the connection is encrypted but the other end of the client-server conversation has no way to ensure that your server is who it says it is unless the certificate is signed by a trusted certificate authority.

Obtaining a certificate that is signed by a certificate authority can be a time consuming and tricky process. The certificate authority frequently requires (for good reason) documentary evidence that you are who you say you are and it can take time to complete this process. It is also relatively expensive at over $100/year.

There is, however, a less expensive alternative. Beginning with Kerio MailServer v6.4.0 there is support for intermediate signed certificates. These cost far less than “regular” certificates, and they are are faster and easier to obtain.

GoDaddy calls their intermediate SSL certificate Turbo SSL. They just need email verification through the address listed in the [WHOIS](http://www.networksolutions.com/whois) record for your domain, so you can often get your signed cert issued in a few hours.

Unfortunately, if you are wanting to use the over the air ActiveSync feature with Windows Mobile devices, the WM5 devices [don't accept](http://blogs.msdn.com/windowsmobile/archive/2005/11/03/488924.aspx) SSL certs that are signed by intermediate certs. You may have to import your intermediate certs using [this](http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx) technique. You might want to avoid the headache and pay more for a SSL certificate that is signed by a [root certificate.](https://partner.microsoft.com/global/partner/40027352)

o

1. 1. Generate a certificate request
   oIn the SSL certificates section of the admin console, pick ‘new certificate request…” from the ‘New…’ button. Fill out the relevant details.
   

   

o

2. 2. Start filling out the application for the Turbo SSL certificate. At one point it will ask you for a certificate signing request (CSR). Highlight the Request, select ‘Show request…’ from the ‘Show…’ menu.
   
   -copy and paste the text of the CSR from Kerio into the form.
   o

o

3. 3. After you submit the application for the certificate, Go Daddy will verify the email address and then send you an email with a link to your certificate. Download that signed certificate, go to the SSL certificates section of the Kerio admin console and select ‘Import signed certificate from CA…’
   

o

4. 4. Next you need to download Go Daddy intermediate certificate and place it in the correct directory. Look for “Go Daddy Secure Server Certificate (Intermediate Certificate)” on this page. Download that certificate and copy it to /usr/local/kerio/mailserver/sslca/ (default KMS location on Mac OS X)
   

o

5. 5. Finally stop and restart KMS and test out your new certificate to ensure that it is recognized as being signed by a trusted CA.