Configuring SSL certificates in Kerio Control

You need an SSL certificateSSL certificates are used to authenticate an identity on a server. to use encrypted communication (VPNVirtual private network - A network that enables users connect securely to a private network over the Internet., HTTPSHypertext Transfer Protocol - version of HTTP secured by SSL. etc.). SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks. certificates are used to authenticate an identity on a server.

For generating SSL certificates, Kerio Control uses its own local authority. Kerio Control creates the first certificate during installation. The server can use this certificate.

However, to avoid users seeing a confirmation message that suggests the site is not secure, you must generate a new certificate request in Kerio Control and send it to a certification authority for authentication.

Kerio Control supports certificates in the following formats:

• Certificate (public key) — X.509 Base64 in text format (PEM). The file has the extension .crt.
• Private key — The file is in RSA format and it has the extension .key with 4KB max. Passphrase is supported.
• Certificate + private key in one file — The format is PKCS#12. The file has the extension .pfx or .p12.

Creating a new Local Authority

Local Authority is generated automatically during Kerio Control installation. However, the hostname and other data are incorrect, so you need to generate a new certificate for the Local Authority.

To create and use a certificate for the Local Authority:

1. Go to Definitions > SSL Certificates.
2. Click Add > New Certificate for Local Authority.
3. In the New Certificate for Local Authority dialog box, type the Kerio Control hostname, the official name of your company, the city and country of your company, and the period for which the certificate should be valid.

The new Local Authority will be available and visible in Definitions > SSL Certificates. The old one is:

• Changed from Local Authority to Authority
• Renamed to Obsolete Local Authority
• Available as a trusted authority for IPsecInternet Protocol security - A network protocol used to encrypt and secure data sent over a network.

If you need to know how to export the local authority and import it as root certificate to a browser, read the Exporting and importing Kerio Control local authority as root certificate article.

Creating a certificate signed by Local Authority

Create a new certificate if the old one is not valid anymore.

To create a certificate, follow these instructions:

1. Open section Definitions > SSL Certificates.
2. Click Add > New Certificate.
3. In the New Certificate dialog box, type the hostname of Kerio Control, the official name of your company, city and country where your company resides and the period of validity. Hostname is a required field.
4. Save the settings.

Now you can use this certificate. Using the certificate means that you have to select it in the specific settings (for example SSL certificate for VPN server you have to select in Interfaces > VPN Server).

Creating a certificate signed by a Certification Authority

To create and use a certificate signed by a trustworthy certification authority, follow these instructions:

1. Open Definitions > SSL Certificates.
2. Click Add > New Certificate Request.
3. In the New Certificate Request dialog box, type the hostname of Kerio Control, the official name of your company, city and country where your company resides and the period of validity. Hostname is a required field.
4. Select the certificate request and click More Actions > Export.
5. Save the certificate to your disk and email it to a certification organization. For example, Verisign, Thawte, SecureSign, SecureNet, Microsoft Authenticode and so on.
6. Once you obtain your certificate signed by a certification authority, go to Definitions > SSL Certificates.
7. Select the original certificate request (the certificate request and the signed certificate must be matched)
8. Click More Actions > Import.

The certificate replaces the certificate request. You can use this certificate. Using the certificate means that you have to select it in the specific settings (for example SSL certificate for VPN serverKerio Control includes a VPN server which provides users to connect to the Kerio Control network from the Internet securely. you have to select in Interfaces > VPN Server).

Importing intermediate certificates

Kerio Control allows authentication by intermediate certificates.

To add an intermediate certificate to Kerio Control, follow these steps:

1. In the administration interface, go to section Configuration > SSL Certificates.
2. Import certificates by clicking on Import > Import Certificate of an Authority.

3. Save the settings.

Changing SSL certificates

If your certificate is expiring and you need to import a new one, you must also select the certificate in all Kerio Control services where the expiring certificate is used. For more information refer to Changing SSL certificates in Kerio Control.