User Tools

Site Tools


how_to:create_an_ssl_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
how_to:create_an_ssl_certificate [2010/02/03 10:19]
paul created
how_to:create_an_ssl_certificate [2018/11/14 10:45] (current)
Line 1: Line 1:
 ======How to create an SSL Certificate====== ======How to create an SSL Certificate======
 +VPOP3 Enterprise supports SSL certificates for encrypted sessions.
 +
 The basic mechanism to create an SSL certificate is that you have to generate a **CSR** (Certificate Signing Request) then send that to a **CA** (Certificate Authority) who will sign your certificate and give you the certificate back. The basic mechanism to create an SSL certificate is that you have to generate a **CSR** (Certificate Signing Request) then send that to a **CA** (Certificate Authority) who will sign your certificate and give you the certificate back.
  
-When you generate the CSR, you will also generate a **Private Key** file. This isn't sent anywhere, but is needed, so keep it safe.+When you generate the CSR, you will also generate a **Private Key** file. This isn't sent anywhere, but is needed, so keep it safe. For VPOP3'​s use the private key file **must not** have a password.
  
 VPOP3 requires certificates & private keys to be in .PEM (Privacy Enhanced Mail) format which is a common format used by most people other than Microsoft. There are ways to convert .P12 .PFX and .CER files to PEM format, but those are outside the scope of this article. VPOP3 requires certificates & private keys to be in .PEM (Privacy Enhanced Mail) format which is a common format used by most people other than Microsoft. There are ways to convert .P12 .PFX and .CER files to PEM format, but those are outside the scope of this article.
Line 11: Line 13:
  
 You can also set up as your own CA. The GenCert program above will let you do this, other programs are available to do this. This is free, but when you access a service using a certificate signed by your own CA, the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £800 Verisign certificate,​ but the warning may not be desirable, and the server'​s identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment. You can also set up as your own CA. The GenCert program above will let you do this, other programs are available to do this. This is free, but when you access a service using a certificate signed by your own CA, the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £800 Verisign certificate,​ but the warning may not be desirable, and the server'​s identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.
 +
 +Note that the '​Private Key' file MUST NOT require a password to access it.
 +
 +=====Obtaining a certificate=====
 +You can self-sign certificates or get them from a Certificate Authority.
 +
 +We can obtain basic GeoTrust certificates for you for £29.95 (+VAT if applicable) per year. Please [[mailto:​sales@pscs.co.uk|contact us]] for details as we need extra information to produce the certificate for you. We can also obtain more complex certificates if you require, but for most cases they aren't necessary.
 +
 +Please note that if you get a certificate from another source there is a limited amount we can do if there is a problem since you may have requested the wrong type of certificate or have the wrong settings. If we supply a certificate it will work with VPOP3 Enterprise, if someone else supplies it we cannot guarantee that.
 +
 +=====Intermediate Certificates=====
 +A lot of certificates nowadays need to have an '​Intermediate Certificate'​ with them. In PEM files you simply concatenate them, so the certificate file (vpop3sslc.pem) will look like:
 +
 +<​code>​
 +-----BEGIN CERTIFICATE-----
 +<site certificate>​
 +-----END CERTIFICATE-----
 +-----BEGIN CERTIFICATE-----
 +<​intermediate certificate>​
 +-----END CERTIFICATE-----
 +</​code>​
 +If the issuing certificate authority requires an intermediate certificate you will have to get that certificate'​s details from them, we cannot supply that information (unless you purchased the certificate via ourselves).
  
  
how_to/create_an_ssl_certificate.1265192392.txt.gz · Last modified: 2018/11/14 10:44 (external edit)