Overview
You have upgraded to Kerio Connect 9.4 and want to make use of the automatic Let's Encrypt certificate creation process that was integrated directly within the Web Admin.
Solution
Kerio Connect Version 9.4 adds better integration directly into the product for the Let's Encrypt not-for-profit SSL certificates -- including auto-renewal of their 90-day certificates. Let's Encrypt is a free, automated, and open certificate authority. Admins can generate their own certificates directly from the SSL Certificates pane, as they would previously create Self-Signed certificates.
Note: To generate SSL certificates successfully, it is mandatory to have the Kerio Connect mail server reachable on Port 80 / HTTP. The Let's Encrypt API will search for the submitted domain name and will verify all the needed information via HTTP.
Opening port 80 might be seen as a security risk for the server and users. It is therefore recommended to only use an encrypted connection with Kerio Connect. It will force users to use webmail over port 443 / HTTS instead of an unsecured HTTP. Another option is to use an HTTP to HTTPS redirection function on the gateway firewall.
- Navigate to WebAdmin > Configuration > SSL Certificates.
- Select New > New Let's Encrypt Certificate.
- Enter the Hostname for your Mail Server and click OK.
Note: Remember that the provided hostname must be HTTP-accessible. You can generate certificates for any sub-domains, as needed.
- The dialog will load, sending the request to Let's Encrypt. Once it has finalized the creation, a new certificate will appear for the domain/hostname that you specified:
- As with other certificates within Kerio Connect, once generated, you can set your new Let's Encrypt certificate as the Default Certificate by right-clicking and choosing "Set as Default." Once set as the default, it is suggested to remove any expired or self-signed certificates to avoid conflicts.
Testing
After setting your new Let's Encrypt certificate as the default certificate, reload a connection to the WebAdmin or WebMail and verify the Lock Icon appears in your Web Browser of choice. Selecting this and viewing the certificate will show your new certificate.
If the old certificate is still appearing, ensure that you have set the Let's Encrypt certificate as the default and Restart Kerio Connect to ensure this is properly used for new connections.