Difference between revisions of "Deploying a Self-signed SSL Certificate"

Background

During the installation of MailStore Server, an SSL certificate is generated which is used by all MailStore components if an encrypted connection is to be established. Because the certificate is issued to the server name MailStoreServer and does not originate from a trusted certification authority (CA), it is not trusted by the client side.

Because of this, the following warning message appears when calling up MailStore Web Access via HTTPS (SSL) or when using the Outlook Add-In with the "secure connection" setting activated:

This article describes the option to deploy self-signed certificates using a group policy. An alternative is to use officially signed SSL certificates issued by your own company CA or a trusted external certificate authority, such as VeriSign or eTrust, which is described in chapter Using Your Own SSL Certificate.

To configure MailStore Server and your clients for using a self-signed certificate, please proceed as described in the following.

Creating a Self-Signed Certificate

The self-signed certificate created during the installation of MailStore Server is issued to the server name MailStoreServer.

If the DNS host name of the server does not correspond to MailStoreServer and if no corresponding A- or CNAME record exists on the DNS server, first a new self-signed certificate with the appropriate host name must be created.

Alternative 1: Create a certificate by using the MailStore Server Service Configuration

This alternative should be preferred, when you want to use a certificate with default parameters. These parameters are amongst others:

• The Subject field is user defined. This equates to the hostname of the MailStore Server computer.
• The certificate is valid until 1/1/2036.
• The signature algorithm is SHA1.
• Subject Alternative Names are not set.
• The FriendlyName value is not set.

To create the certificate proceed as follows:

• Open the MailStore Server Service Configuration.
• Click on IP Addresses and Ports.
• Click on the button next to the field Server Certificate and select Create Self-Signed Certificate...

  

• As name for the new certificate, enter the server name with which the MailStore server can be reached, e.g. mailstore.mydomain.local, and click on OK.
• If necessary, replace all additional server certificates with the new certificate. To do so, click on the button next to the Server Certificate field and select Select from Certificate Store...

Alternative 2: Create a certificate by using certreq

This alternative should be preferred when you have requirements to the certificate that cannot be fulfilled with the default parameters. For example if you want to use Subject Alternative Names or if you want a limited validity period.

• Log on to the MailStore Server computer.
• Prepare a text file request.inf with the following content:

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
; replace Subject attributes in the line below with real values
Subject = "CN=mailstoreserver.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
HashAlgorithm = sha1
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = mailstoreserver.example.com
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = Cert
KeyUsage = 0xa0
NotBefore = "1/1/2016 00:00 AM"
NotAfter = "12/31/2019 11:59 PM"
 
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

• Adjust Subject, FriendlyName, NotBefore and NotAfter according to your needs.
• Save the file.
• Open an elevated command prompt and navigate to the directory where the request.inf is stored.
• Create the certificate by executing the following command:

certreq -new request.inf request.csr

• Open the MailStore Server Service Configuration.
• Click on IP-Adressen and Ports.
• Click on the button next to the field Server Certificate (…) and select Select from Certificate Store...
• Select the previously created certificate and press OK.
• Replace the other certificates by clicking on the button next to the field Server Certificate (…) and select Select from Certificate Store...

Optional: Subject Alternative Names (SAN)

If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the certificate as explained previously.

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=mailstoreserver.example.com&"
_continue_ = "DNS=mailstoreserver&"
_continue_ = "IPADDRESS=172.31.1.5&"

Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.

Deploying a Self-Signed Certificate

Before the self-signed certificate can be deployed, it must be exported from the current certificate store. Please proceed as follows:

• Open the MailStore Server Service Configuration.
• Click on IP-Adressen and Ports.
• Click on the certificate.
• Open the Details tab.
• Click on Copy to File.
• Follow the instructions of the certificate export wizard to export the certificate without the private key in DER encoded format into a file.

Once the certificate has been exported to a file, create a group policy as described in chapters MailStore Client Deployment or MailStore Outlook Add-in Deployment and to deploy the certificate customize it as follows:

• Open the group policy object using the Group Policy Management Editor of your Windows server.
• Expand the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
• Right-click on Trusted Root Certification Authorities and select Import....
• Follow the instructions of the certificate import wizard to import the certificate from the file.
• Under Public Key Policies open the properties of the Certificate Services Client - Auto-Enrollment

  

• Change the Configuration Model to Enabled and click on OK.
• Under Public Key Policies open the properties of the Certificate Path Validation Settings.

  

• Place a checkmark next to Define these policy settings and click OK.

The group policy will be enabled once the workstation is restarted.

Weblinks

• Microsoft Technet: Certreq
• Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name