An SSL certificate is required to use encrypted communication (VPN, HTTPS etc.). SSL certificates are used to authenticate an identity on a server.
For generating SSL certificates, Kerio Control uses its own local authority, it creates the first certificate during installation and the server can use this certificate.
To avoid users seeing a confirmation message that suggests the site is not secure, a new certificate request in Kerio Control needs to be generated and sent to a certification authority for authentication, this article covers the process to properly configure SSL certificates.
Kerio Control supports certificates in different formats:
- Certificate (public key) — X.509 Base64 in text format (PEM). The file has the extension .crt.
- Private key — The file is in RSA format and it has the extension .key with 4KB max. Passphrase is supported.
- Certificate + private key in one file — The format is PKCS#12. The file has the extension .pfx or .p12.
Creating a New Local Authority
A Local Authority is generated automatically during the Kerio Control installation. However, the hostname and other data are incorrect, so a new certificate for the Local Authority needs to be generated.
To create and use a certificate for the Local Authority:
- Go to Definitions > SSL Certificates.
- Click Add > New Certificate for Local Authority.
- In the New Certificate for Local Authority dialog box, enter the Kerio Control hostname, the official name of the company, country, city, and the period for which the certificate should be valid.
The new Local Authority will be available and visible in Definitions > SSL Certificates. The old one is:
- Changed from Local Authority to Authority.
- Renamed to Obsolete Local Authority.
- Available as a trusted authority for IPsec.
For additional information on how to export the local authority and import it as root certificate to a browser, refer to Exporting and Importing Kerio Control Local Authority as a Root Certificate.
Creating a Certificate Signed by a Local Authority
Create a new certificate if the old one is not valid anymore. To create a certificate:
- Open section Definitions > SSL Certificates.
- Click Add > New Certificate.
- In the New Certificate dialog box, enter the hostname of Kerio Control, the official name of the company, country, and city where the company resides, as well as the period of validity. Hostname is a required field.
- Save the settings.
Confirmation: Now this certificate can be used. Using the certificate means that it has to be selected in the specific settings (e.g. SSL certificate for a VPN server, choose Interfaces > VPN Server).
Creating a Certificate Signed by a Certification Authority
To create and use a certificate signed by a trustworthy certification authority:
- Open Definitions > SSL Certificates.
- Click Add > New Certificate Request.
- In the New Certificate Request dialog box, enter the hostname of Kerio Control, the official name of the company, country, city where the company resides and the period of validity. Hostname is a required field.
- Choose the certificate request and click More Actions > Export.
- Save the certificate to the local disk and email it to a certification organization (e.g. Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode, etc.).
- Once the certificate signed by a certification authority is obtained, go to Definitions > SSL Certificates.
- Choose the original certificate request (the certificate request and the signed certificate must be matched)
- Click More Actions > Import.
Confirmation: The certificate replaces the certificate request. This certificate can be used. Using the certificate means that it has to be selected in the specific settings (e.g. SSL certificate for a VPN server, choose Interfaces > VPN Server).
Importing Intermediate Certificates
Kerio Control allows authentication by intermediate certificates. To add an intermediate certificate:
- In the administration interface, go to section Configuration > SSL Certificates.
- Import certificates by choosing Import > Import Certificate of an Authority.
- Save the settings.
NOTE: For multiple intermediate certificates, add them all in the same way.
Changing SSL Certificates
If the certificate is expiring and a new one needs to be imported, the certificate in all Kerio Control services where the expiring certificate is used must be selected.