General #
Mailborder automatically generates self-signed certificates during the installation process. These certificates are acceptable for general administration, but should be replaced with certificates issued by a valid Certificate Authority for any public facing component like the User Portal.
LetsEncrypt #
You may use Letsencrypt on Mailborder servers. It saves on the headache of constantly keeping your SSL certificates updated, and it is totally free. Letsencrypt’s CA is recognized in all modern web browsers.
Wilcard Certificates #
Note that if you have wildcard certificates, Mailborder’s automated process is unable to match certificates that are multiple levels deep.
This will work with a wildcard certificate for *.domain.com:
host.domain.com
This will not work:
host.sub.domain.com
You may use a wildcard certificate like this with Mailborder, but it cannot be added via the GUI. It will have to be added via the command line.
Installing Certificates via the GUI #
If you have a valid public SSL certificate, you may install them on the Mailborder server via the web interface. Navigate to:
Components > SSL/TLS Certificates
Mailborder will automatically use these certificates on both Master and Child servers. Wildcard certificates may also be used. Ensure that the private key is not password protected, which is explained in further detail below.
Public PEM Certificate #
Mailborder uses PEM certificates for SSL and TLS. PEM certificates are combined certificates containing your public SSL/TLS certificate, the intermediate CA, and the root CA.
The public certificate will work without the intermediate CA and root CA, but users may encounter browser errors. Therefore, it is better to include these additional certificates in your PEM file.
Make sure to include the beginning and end tags on each certificate. In the below example Comodo intermediate and root certificates are used, but this process applies to any certificate authority including self signed certificates.
The result of your PEM file should look like this:
-----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: COMODOCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: AddTrustExternalCAROOT.crt) -----END CERTIFICATE-----
Do not include the private key in Mailborder PEM files.
Private Key #
The private key must have the password protection removed or services that use the certificate and key will not start. First, verify the key if is encrypted or not. If it is encrypted, it will start with something like this:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC 6AC307785DD187EF... -----END RSA PRIVATE KEY-----
If it is not encrypted, it will look something like this:
-----BEGIN RSA PRIVATE KEY----- 6AC307785DD187EF... -----END RSA PRIVATE KEY-----
If they key is not encrypted, you can enter it into the Master GUI without modifying it.
Removing Password Protected Encryption #
To remove the password from a password protected key:
file1.key is your current password protected key.
openssl rsa -in file1.key -out file2.key
file2.key will contain your unencrypted key.
