Disclaimer

The documentation is provided as is without warranty of any kind. To the maximum extent permitted by applicable law, we further disclaim all warranties, including without limitation any implied warranties of merchantability, fitness for a particular purpose, and non-infringement. The entire risk arising out of the use or performance of the product and documentation remains with the recipient. To the maximum extent permitted by applicable law, in no event shall we be liable for any consequential, incidental, direct, indirect, special, punitive or other damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of this agreement of the use of or inability to use the product, even if the author of the product has been advised of the possibility of such damages.

Overview

IceWarp software provide SSL support in Merak Mail Server and IceWarp Web Mail products. This uses an SSL certificate issued by IceWarp and as such generates warnings when used.

It is likely that customers wishing to pursue SSL already have a certificate installed for a given domain and would like to use their existing certificate with Merak or Web Mail.

This document explains how to convert an existing certificate into the format that IceWarp expects.

Contact Us

Please do not hesitate to contact us with your suggestions for new features. To see the latest Price List, or Purchase the Products, please visit the website or send us e-mail at:

E-Mail info@merakmailserver.com
Support support@merakmailserver.com
Website http://www.merakmailserver.com

Table of Contents

1. Overview of SSL

2. Certificate Conversion from IIS 4.0

3. Certificate Conversion from IIS 5.0

1. Overview of SSL

Overview

SSL is an encryption method based on public and private keys. It ensures that information being transferred between a webserver and a web browser cannot be seen by anyone and thus ensures privacy.

IceWarp Web Mail and Merak Mail uses its own built in webserver. This fully supports the SSL standards once SSL support has been enabled.

Enabling Secure Socket Layer

The SSL software is provided as standard with IceWarp Web Mail and Merak Mail.

For IceWarp Web Mail test out your installation by connecting to the SSL port of 4097 (instead of 4096). Ensure that https is specified instead of http
e.g. https://127.0.0.1:4097/
For Merak Mail test out your installation by connecting to the SSL port of 32001 (instead of 32000). Ensure that https is specified instead of http
e.g. https://127.0.0.1:32001/

If all is working you will be greeted with a warning :

What does the warning mean ?

An SSL certificate requires 3 conditions to be met:

     1. That it has been issued by a company who is trusted.
     2. That the date on the certificate is valid      3. That the website name matches the name on the certificate.

There are only a few companies in the world who issue certificates that are automatically trusted by web browsers (e.g. Verisign and Thawte). As this certificate is issued by IceWarp software the web browser does not ‘trust’ it.
To resolve this, click on the ‘View Certificate’ button and then ‘Install Certificate’. Follow the prompts. This tells the web browser that the certificate can be trusted.
Unfortunately it is not possible to fix point (3). A certificate is matched to a website address at creation.

IceWarp’s Certificate Format

Find the file cert.pem in the installation directory. It should look like this :

-----BEGIN RSA PRIVATE KEY-----
> MIICWwIBAAKBgQDhhrFex+K/HBZe/Sgl2nZmppRRmADgaRByOMURyI36gvQ1+FNO
uYfoPcOr/t3TiqfKmt4deBJU/l5EOH+VAcYGFjpOpmaS7HZbRBhrew53LLpk333L
aPLwKPBQNFgYOtZzB+CvwnAa4nAtkZYlkRMlnASYzXfHowuVu8ehVs5iTwIDAQAB
AoGAYnIpevZGRKY+HbjkjaGPjb+pfvSbbVpvk2y0mc6yK2h+shB0TSkv6nELuUjI
DE+6bvarfrGrTu66t4zyJFlh1vRWgezw7PddR6l1iUZX3M2jdfrj/Z9hcHoMgIEN
6flUhsUDR1/dYFLmC7erXiXpAlu2gx0vE+JlRkKh1lrcGgECQQD8SGa3vOqFoFcp
ghEZXpzqcYIvJfrtpPna7r1CNezMRvpYpC8hT5G7/t7fVtUtOfGURGkT2aYmtZeQ
T9hMhpu9AkEA5Nld4QkRa1Nyk3Qb/k/lYKLEovA4rySV2A446NdVLLZqI2fq1qH3
QChMtlYG7c6Iv6dIv3fkn1UOa9Mx4AVw+wJAfCwiqrMId6b438xOID+KWnZuDkjS
Xh/CfvjdHHawS8dvtytwqyOf5nlHN4RkvrLzbffSBFwvRIRCylwSaXAjvQJAbZYl
XXixLbrlF/U23n418iOflAMCseQMGU0eNWnAMMwdYV0G2Mbwlnl12q6xXLlVRKl/
rahlA2OAp2OX85XHdwJANv7ayfVDTMlfOdXB5nOJM9Y8/2h9TCVLUstxKh4qM9Hp
yVFxyTCRm/qplHLNuklGuWP55vEoblbba9aqYzWJjw==
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIICjTCCAfYCAQAwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAkNaMRcwFQYD
VQQIEw5DemVjaCBSZXB1YmxpYzEPMA0GA1UEBxMGUHJhZ3VlMRkwFwYDVQQKExBJ
Y2VXYXJwIFNvZnR3YXJlMRkwFwYDVQQDExBJY2VXYXJwIFNvZnR3YXJlMR8wHQYJ
KoZIhvcNAQkBFhBpbmZvQGljZXdhcnAuY29tMB4XDTAwMDcyNDE0MDA1N1oXDTA1
MDcyMzE0MDA1N1owgY4xCzAJBgNVBAYTAkNaMRcwFQYDVQQIEw5DemVjaCBSZXB1
YmxpYzEPMA0GA1UEBxMGUHJhZ3VlMRkwFwYDVQQKExBJY2VXYXJwIFNvZnR3YXJl
MRkwFwYDVQQDExBJY2VXYXJwIFNvZnR3YXJlMR8wHQYJKoZIhvcNAQkBFhBpbmZv
QGljZXdhcnAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhhrFex+K/
HBZe/Sgl2nZmppRRmADgaRByOMURyI36gvQ1+FNOuYfoPcOr/t3TiqfKmt4deBJU
/l5EOH+VAcYGFjpOpmaS7HZbRBhrew53LLpk333LaPLwKPBQNFgYOtZzB+CvwnAa
4nAtkZYlkRMlnASYzXfHowuVu8ehVs5iTwIDAQABMA0GCSqGSIb3DQEBBAUAA4GB
AEpb8ci98bywKDgm2ZZAndtisHLQa7rI1ZozmgYAS90qcShfXcrOlD1+si4wVanY
wOd93LjXuR5IzMUM48w7QeDYZxXeAcpmrp8PDvw54RZG2JyH7hITrDSw69Budw0C
VeCM6hHpRejRBf8DK+WNqG3CZh74jgDd3NGb+MijVagF
-----END CERTIFICATE-----




The file takes the format of base-64 encoded sections, the private key followed by the certificate.

2. Certificate Conversion from IIS 4.0

When the certificate was first requested you would have created a certificate request file. This would have looked like this :

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBJjCB0QIBADBsMQswCQYDVQQGEwJHQjEOMAwGA1UECBMFRXNzZXgxETAPBgNV
BAcTCFJvY2hmb3JkMRkwFwYDVQQKExBTaW1wbHkgV2ViRGVzaWduMQ4wDAYDVQQL
EwVTYWxlczEPMA0GA1UEAxMGU2ltcGx5MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
ALO0a8hNfU6Nb/JcIFPNgvxfUdp6Bo/NAK6+9tO2p6YbiWBf2mQw0WDOPELiRkly
kg0sNT9B6eFKH9qYHx9XipkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0EAXaiLgP5S
VQlRjg0k5q2xXZSCFrwf4EbIb7xiAkIEStLiZP0RRv9OIBVlBbbuP2oY4Kgm7Jzx
DN/Ak597m0iBEw==
-----END NEW CERTIFICATE REQUEST-----

The organisation who issued you your certificate would have replied with the certificate in the following format :

-----BEGIN CERTIFICATE-----
MIICTTCCAbagAwIBAgIDdYWzMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAwMDkyNDExMjYwMFoXDTAw
MTAyNTExMjYwMFowbDELMAkGA1UEBhMCR0IxDjAMBgNVBAgTBUVzc2V4MREwDwYD
VQQHEwhSb2NoZm9yZDEZMBcGA1UEChMQU2ltcGx5IFdlYkRlc2lnbjEOMAwGA1UE
CxMFU2FsZXMxDzANBgNVBAMTBlNpbXBseTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
QQCztGvITX1OjW/yXCBTzYL8X1HaegaPzQCuvvbTtqemG4lgX9pkMNFgzjxC4kZJ
cpINLDU/QenhSh/amB8fV4qZAgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAaBAP6YMGRzaBXRmmUxL9
D/sl+SI3TsPq/2Lu3CINHO4wyq0bBr+xKjr8FiM9rzYdDy66Cyux4RA89s2DzKtX
kCTZGnz0uBOr452WEjfhkmnm2dyB0bFe94Lb1lZ7wB1FmPrjIiWP49EAgtuMtiTA
sAXR6juqZdMpEkm1kfD4K2k=
-----END CERTIFICATE-----

The certificate itself is in the correct format for IceWarp, but we also need to obtain the private key. This can be extracted from IIS with a little manual intervention.


You will need some tools to do this though :

     1. A copy of the openssl executable with RSA encryption
     2. A text editor that understands hex.

The openssl tools can be downloaded from anonymous ftp at ftp://ftp.siwd.net/

A good hex editor can be found at http://www.ultraedit.com

(These instructions are courtesy of post to the openssl-users newsgroup)
MSIIS exports the private key and certificate in the same file.  If you want to extract only the private key, you can do it as follows:
  
1. Export a backup file of the Certificate from the Key-Manager. Call it cert.key.
2. Edit cert.key and find this string in the binary file : "private-key"
3. Trace back until you find this Hex value: "3082"
4. Write from that position to a new file (tmp.bin).
5. With OpenSSL: openssl rsa -inform NET -in tmp.bin -out key.pem
6. Type password.
7. The private key is now in a separate file :-)
  

  
The above image shows an IIS key open in the "Elvis" text editor in HEXADECIMAL mode. The characters in red will be deleted and the rest of the file -- from "30 82" onwards -- will be saved.

So now you should have your private key in a file called key.pem and it should look like this :

-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBALO0a8hNfU6Nb/JcIFPNgvxfUdp6Bo/NAK6+9tO2p6YbiWBf2mQw
0WDOPELiRklykg0sNT9B6eFKH9qYHx9XipkCAwEAAQJAJQGqkH0kqOCHhSljnt5b
cw1OFee7IjHdSh8ZRVAABjyc8Kt5MZ4nVgpGEBv4Wz4X+Un3xW18bKF9uREViQeV
gQIhAOShEojbao1Z5QF9hPkC6fDPs/rPmjaBWbLQKbyXKHT9AiEAyTfvMu+sJZkD
tS/afFUhiA/Bp44OjRgMwh+MAJ0uDM0CIDEXRNuOAXsIalu/j+XH8mN6tbKNERfS
/meeutd7vXwhAiBJjVyubdWrWKd2T6u5zxSWu8u6B79h6+yd+RIgF1SB8QIhANDG
YzjKKPILB7euU0bfuJxWglYou9TAma5HzdeBCd7V
-----END RSA PRIVATE KEY-----

Find the certificate that was sent back by the issuing authority and concatenate it onto the end thus giving you a file similar to :

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDhhrFex+K/HBZe/Sgl2nZmppRRmADgaRByOMURyI36gvQ1+FNO
uYfoPcOr/t3TiqfKmt4deBJU/l5EOH+VAcYGFjpOpmaS7HZbRBhrew53LLpk333L
aPLwKPBQNFgYOtZzB+CvwnAa4nAtkZYlkRMlnASYzXfHowuVu8ehVs5iTwIDAQAB
AoGAYnIpevZGRKY+HbjkjaGPjb+pfvSbbVpvk2y0mc6yK2h+shB0TSkv6nELuUjI
DE+6bvarfrGrTu66t4zyJFlh1vRWgezw7PddR6l1iUZX3M2jdfrj/Z9hcHoMgIEN
6flUhsUDR1/dYFLmC7erXiXpAlu2gx0vE+JlRkKh1lrcGgECQQD8SGa3vOqFoFcp
ghEZXpzqcYIvJfrtpPna7r1CNezMRvpYpC8hT5G7/t7fVtUtOfGURGkT2aYmtZeQ
T9hMhpu9AkEA5Nld4QkRa1Nyk3Qb/k/lYKLEovA4rySV2A446NdVLLZqI2fq1qH3
QChMtlYG7c6Iv6dIv3fkn1UOa9Mx4AVw+wJAfCwiqrMId6b438xOID+KWnZuDkjS
Xh/CfvjdHHawS8dvtytwqyOf5nlHN4RkvrLzbffSBFwvRIRCylwSaXAjvQJAbZYl
XXixLbrlF/U23n418iOflAMCseQMGU0eNWnAMMwdYV0G2Mbwlnl12q6xXLlVRKl/
rahlA2OAp2OX85XHdwJANv7ayfVDTMlfOdXB5nOJM9Y8/2h9TCVLUstxKh4qM9Hp
yVFxyTCRm/qplHLNuklGuWP55vEoblbba9aqYzWJjw==
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIICjTCCAfYCAQAwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAkNaMRcwFQYD
VQQIEw5DemVjaCBSZXB1YmxpYzEPMA0GA1UEBxMGUHJhZ3VlMRkwFwYDVQQKExBJ
Y2VXYXJwIFNvZnR3YXJlMRkwFwYDVQQDExBJY2VXYXJwIFNvZnR3YXJlMR8wHQYJ
KoZIhvcNAQkBFhBpbmZvQGljZXdhcnAuY29tMB4XDTAwMDcyNDE0MDA1N1oXDTA1
MDcyMzE0MDA1N1owgY4xCzAJBgNVBAYTAkNaMRcwFQYDVQQIEw5DemVjaCBSZXB1
YmxpYzEPMA0GA1UEBxMGUHJhZ3VlMRkwFwYDVQQKExBJY2VXYXJwIFNvZnR3YXJl
MRkwFwYDVQQDExBJY2VXYXJwIFNvZnR3YXJlMR8wHQYJKoZIhvcNAQkBFhBpbmZv
QGljZXdhcnAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhhrFex+K/
HBZe/Sgl2nZmppRRmADgaRByOMURyI36gvQ1+FNOuYfoPcOr/t3TiqfKmt4deBJU
/l5EOH+VAcYGFjpOpmaS7HZbRBhrew53LLpk333LaPLwKPBQNFgYOtZzB+CvwnAa
4nAtkZYlkRMlnASYzXfHowuVu8ehVs5iTwIDAQABMA0GCSqGSIb3DQEBBAUAA4GB
AEpb8ci98bywKDgm2ZZAndtisHLQa7rI1ZozmgYAS90qcShfXcrOlD1+si4wVanY
wOd93LjXuR5IzMUM48w7QeDYZxXeAcpmrp8PDvw54RZG2JyH7hITrDSw69Budw0C
VeCM6hHpRejRBf8DK+WNqG3CZh74jgDd3NGb+MijVagF
-----END CERTIFICATE-----

Your file is now in the same format as that required by IceWarp. Rename this file as cert.pem and move it into the IceWarp installation directory (you may wish to backup the old file first). Restart the services and then attempt to connect using the SSL port and https protocol.

3. Certificate Conversion from IIS 5.0

The process is slightly different for IIS5.0. It is far far easier to just request and install a certificate onto the server, then extract the bits we need.

Request and Install the certificate for the website in the normal manner. You should have backed it up anyway, but if you have not then it is likely that the Certificate Manager also needs setting up.

Start -> Run mmc.exe

Under the Console Menu choose Add/Remove Snap-in.

Choose Add then Certificates (for Computer Account, Local Computer)

Under the Console Menu choose Save As and save as “Certificates Manager”.

Open up the Certificates Manager (it will have been placed into the administration tools on your Start Menu)

Find the certificate you want to use (Look under Personal Certificates). Right click the certificate and choose Export.

When asked, reply “Yes, export the private key”. The correct export type is the “Personal Information Exchange PKCS12” format.

Enter a password twice, then the name of the file to export to.

The Certificates Manager will now export the file to disk.

Using the openssl tool we can extract both the private key and the certificate from the exported file :

Openssl pkcs12 -in <infile> -out cert.pem -nodes

You will need to enter the password to extract the keys.

This will create a file called cert.pem…….

Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
1.3.6.1.4.1.311.17.1: Microsoft RSA SChannel Cryptographic Provider
friendlyName: f0ab0ab6ba76154b8482652adfd0392e_c071ee15-fbd3-4bb8-b597-cd153273f125
Key Attributes
X509v3 Key Usage: 10

-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAM+aEQRnZbhWjfRqsrSWh8UWlSIeeiWQCcKzaGnMaTbfsGfylATB
ILP4Z/JrIS8UyIxls+qjzp0ycTCEk2/JnqUCAwEAAQJAIWTZA+pV9HcH0p8vK9li
8ZMWXiyk3VH0H/uX+hzFd+vs/zQabi5yYfaxHR1+fwIJ4ktO769w0r+njtKbwORi
qQIhAP5y2+RGaC2JVemqPOIi+tibae8xqR5rN7aRW4MI5MKfAiEA0N4W48CoS7ID
5NAbUHiKNDgnmFsvnVitHEeWw61cvDsCIHR1xcdZol0VOslULcGjGQUDPR1JsYpG
sJ1TMntrGqkpAiBCm9Do6PPC0A511fgf/ZD1fkMCT3Ir16+9KQdnd83vKQIgEbZK
4UF+7O/eTtCRii427cAR00EaqAiKf6cl1v+9qYI=
-----END RSA PRIVATE KEY-----

Bag Attributes
localKeyID: 01 00 00 00
friendlyName: GPC Secure
subject=/C=GB/ST=Staffordshire/L=Lichfield/O=Global Performance Centre Ltd/OU=Sales and Marketing/CN=secure.gpc1.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com

-----BEGIN CERTIFICATE-----
MIICuDCCAiGgAwIBAgIDB6cGMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMDEw
MzExMzU2MDBaFw0wMTExMTQxMzU2MDBaMIGZMQswCQYDVQQGEwJHQjEWMBQGA1UE
CBMNU3RhZmZvcmRzaGlyZTESMBAGA1UEBxMJTGljaGZpZWxkMSYwJAYDVQQKEx1H
bG9iYWwgUGVyZm9ybWFuY2UgQ2VudHJlIEx0ZDEcMBoGA1UECxMTU2FsZXMgYW5k
IE1hcmtldGluZzEYMBYGA1UEAxMPc2VjdXJlLmdwYzEuY29tMFwwDQYJKoZIhvcN
AQEBBQADSwAwSAJBAM+aEQRnZbhWjfRqsrSWh8UWlSIeeiWQCcKzaGnMaTbfsGfy
lATBILP4Z/JrIS8UyIxls+qjzp0ycTCEk2/JnqUCAwEAAaMlMCMwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQAP4RW7
XzSg2Y8/rIN06RhS4WfQR/KYrhLaaf31oYIQ44WYF5r6ggxXGW6ZuWsuNXj9thC+
/rwtIMpJb3wZaFUAzGaqLyj45YlrlGRAwZgiwDUDpF6aAg2iMyprMn1pC9GIwlve
nPv///UgXHaASucvE0/pz70/v2CG++oAbP5Jgw==
-----END CERTIFICATE-----

All that is needed now is to remove the extra information from the file and you have the required cert.pem for IceWarp software.