SSL Certificates
The BlueMind servers use certificate-based authentication. The certificates generated when BlueMind is installed can be replaced by customized certificates on a single-server installation.
The BlueMind admin console offers 2 certificate update procedure options:
- By replacing files (new certificate, private key and certification authority certificate)
- Using Let's Encrypt certificate generation
Certificate management is not specific to BlueMind mail. The BlueMind teams cannot carry out certificate management or configuration as part of its support packages.
Prerequisites
Email relies heavily on certificates and their proper management. For example, your email will not work if your certificates expire. It is paramount that you know how to manage them well (please refer to the chapter on Externals links if necessary).
Certificate installation
You must ensure an external URL has been set for your system, or for the domain concerned by this certificate installation (see the chapter on External URL configuration if necessary).
You can check this in the System Management > System Configuration > Reverse Proxy for the system, and System Management, Manage Domains > YourDomain > General for the domain.
Files required
You must make sure that the certificates correspond to your mail system's external-url, otherwise your mail system will not work.
To set up an SSL certificate, you need the following 3 files:
- a file containing the new SSL certificate
- a file containing the private key for the new certificate – not password protected
- a file containing the certificate from the certificate authority responsible for issuing the new SSL certificate. If this authority is a subordinate authority, that authority's root certificate must be concatenated to the file.
If your certificate is in P12 format, you must generate the certificate and the private key in PEM format using the commands:
openssl pkcs12 -nocerts -in cert.p12 -out privatekey.pem
openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
Warning, you must double-check that the CN or alternative name is the BlueMind server's external url. You can check the CN using the command:
openssl x509 -noout -subject -in cert.pem
Installing the certificate for the system
- Log into BlueMind as admin0 and go to the admin console
- Go to the page Security > Modify Certificate
- Choose "Files" in the drop-down list, and use the three "Browse" ("Parcourir") buttons to find the files required and send them to the server:
- Click "Save" to upload the files and apply the new certificate.
Installing the certificate for a domain
- Log into BlueMind as admin0 and go to the admin console
- Go to the page System Management > Managed Domains
- Select the domain you want to configure
- Click the "Certificate and Encryption" tab
- Choose "Files" in the drop-down list
- Use the 3 "Browse..." buttons to search for the corresponding files and send them to the server
- Click "Save" to upload the files and apply the new certificate.
Let's Encrypt certificate generation
- Log into BlueMind as admin0 and go to the admin console
- Go to the page Security > Modify Certificate
- Choose "Let's Encrypt" in the dropdown list
Accept the conditions
You must accept the Let's Encrypt conditions to be able to generate the certificate.
Clicking "Let’s Encrypt conditions" automatically accepts the conditions and opens a tab showing them.
Once done, the grayed-out button you must click to generate the certificate is enabled.
Generate the certificate for the system
You may enter an email address that Let's Encrypt will use to notify you when the certificate expires.
if not provided, a default address 'no-reply@<default-domain>' will be used (a default domain must be define in the System Management beforehand).
Generate a certificate for a domain
- Log into BlueMind as admin0 and go to the admin console
- Go to the page System Management > Managed Domains
- Select the domain you want to configure
- Click the "Certificate and Encryption" tab
- Choose "Let's Encrypt" in the dropdown list
Repeat the operations Accept the conditions and Generate the certificate for the system.
Renew a certificate
A scheduled job will automatically renew the Let's Encrypt certificate, if it has already been generated once.
However, you can renew the certificate manually, following the same procedure as for generation:
Delete a domain certificate
This operation will remove the domain certificates from the servers.
- Log into BlueMind as admin0 and go to the admin console
- Go to the page System Management > Managed Domains
- Select the domain you wants to configure
- Click on "Certificate and Encryption" tab
- Choose "Disable" in the drop-down list and click "Disable SSL Certificate"
- Click on "Save" to delete the files on the server
This "Disable" option is only available for a domain, not for the system
External links
- SSL & TLS: A beginner's guide to certificates: https://www.isicca.com/en/ssl-tls-certificate-beginner-guide/