SSL Certificates

The BlueMind servers use certificate-based authentication. The certificates generated when BlueMind is installed can be replaced by customized certificates on a single-server installation.

The BlueMind admin console offers 2 certificate update procedure options:

• By replacing files (new certificate, private key and certification authority certificate)
• Using Let's Encrypt certificate generation

note

Certificate management is not specific to BlueMind mail. The BlueMind teams cannot carry out certificate management or configuration as part of its support packages.

Prerequisites

Email relies heavily on certificates and their proper management. For example, your email will not work if your certificates expire. It is essential to master their management (see chapter Files required if necessary).

External URLs

Make sure that an external URL has been defined for the global system or for the domain concerned by this certificate installation.

For more information, please visit the page External URL Configuration.

info

Adding an external URL to a domain is optional and only recommended in the case of Multi-domain Messaging

Required Files

Let's Encrypt Certificate

No files required

Certificate by file

To set up an SSL certificate, you need the following 3 files:

• a file containing the new SSL certificate
• a file containing the new certificate's private key - the key must not be password-protected AND must use the RSA 2048 algorithm or higher.
• a file containing the certificate from the certificate authority responsible for issuing the new SSL certificate. If this authority is a subordinate authority, that authority's root certificate must be concatenated to the file.

You must make sure that the certificates correspond to your mail system's external-url, otherwise your mail system will not work.

If your certificate is in P12 format, you must generate the certificate and the private key in PEM format using the commands:

openssl pkcs12  -nocerts -in cert.p12 -out privatekey.pem
openssl pkcs12 -clcerts  -nokeys -in cert.p12 -out cert.pem 

info

Warning, you must double-check that the CN or alternative name is the BlueMind server's external url. You can check the CN using the command:

openssl x509 -noout -subject -in cert.pem

You can also check the algorithm used by the private key (RSA 2048 or higher) with the command:

openssl pkey -in privkey.pem -text

Elliptic curves are not compatible, e.g. ed25519

Installing the certificate for the global system

• Log into BlueMind as admin0 and go to the admin console
• Go to the page Security > Modify Certificate
• Choose the SSL certificate engine : Files or Let's Encrypt

note

The certificate installed for the global system will be used for SSL/TLS by the SMTP, IMAP and POP protocols.

Certificate via files

• Choose "Files" from the drop-down list:
  
• Using the 3 "Choose file" buttons, search for corresponding files in order to send them to the server.
• Click on Save to upload the files and accept the new certificate.

Let's Encrypt Generation

To generate a certificate with Let's Encrypt :

• Choose Let's Encrypt from the drop-down list:
  
• Accept the conditions by clicking on the dedicated button

  💡 The Let's Encrypt terms and conditions can be viewed by clicking on the "Let's Encrypt terms and conditions" link. Once done, the grayed-out button you must click to generate the certificate is enabled.

• E-mail: Enter a valid and active e-mail address to receive alerts sent by Let's Encrypt about expiration and/or renewal of the generated certificate.

  💡 If no default address is set, the address no-reply@<default-domain> will be used. In the case of Multi-domain Messaging (shared server), a default domain must be defined beforehand.

• Additional URLs: Enter the domains for which the certificate is to be generated in addition to the external URLs and other URLs entered in the installation's domain administration form.
• Click on "Save" to accept the new certificate.

Installing the certificate for a domain

• Log into BlueMind as admin0 and go to the admin console
• Go to System management > Supervised domains
• Select the domain you want to configure
• Click on the 'Certificate and Encryption' tab
• Follow the certificate generation process "via files" or via "Let's Encrypt"

Renew a certificate

A programmed task will automatically renew the Let's Encrypt certificate generated. The 30 days before the certificate expires, renewal is attempted once a day. During the last 5 days before expiration, if the renewal still fails, an alert message is sent to the contact email address entered during the Let's Encrypt configuration.

It is also possible to manually renew the certificate, following the same procedure as for generation:

• Generate the certificate via file
• Generate the certificate via Let's Encrypt

Find out more

Related BlueMind documentation pages

• External URL Configuration
• System configuration
• Managing Domains

External links

• Guide élémentaire du SSL - Travailler en toute sécurité dans un monde numérique (source : certificat.fr) - in French only