Use a bought SSL certificate

Attention

Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.

iRedMail generates a self-signed SSL certificate during installation, it's fine if you just want to secure the network connections (POP3/IMAP/SMTP over TLS, HTTPS), but mail clients or web browsers will promot a annoying message to warn you this self-signed certificate is not trusted. To avoid this annoying message, you have to buy a SSL certificate from SSL certificate provider. Search buy ssl certificate in Google will give you many SSL providers, choose the one you prefer.

Get a SSL certificate

Request a free cert from Let's Encrypt

We have another tutorial to show you to request a free cert from Let's Encrypt: Request a free cert from Let's Encrypt.

Buy from a trusted SSL vendor

To buy ssl cert from a trusted vendor, you need to generate a new SSL key and signing request file on your server with openssl command:

Warning

Do NOT use key length smaller than 2048 bit, it's insecure.

# openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr

This command will generate two files:

The openssl command will prompt for the following X.509 attributes of the certificate:

NOTE: Some certificates can only be used on web servers using the Common Name specified during enrollment. For example, a certificate for the domain domain.com will receive a warning if accessing a site named www.domain.com or secure.domain.com, because www.domain.com and secure.domain.com are different from domain.com.

Now you have two files: privkey.pem and server.csr. Go to the website of your preferred SSL privider, it will ask you to upload server.csr file to issue an SSL certificate.

Usually, SSL provider will give you 2 files:

We need above 2 files, and privkey.pem. Upload them to your server, you can store them in any directory you like, recommended directories are:

Use the bought cert

The easiest and quickest way to use the bought cert is replacing the self-signed SSL cert generated by iRedMail installer, then restart services which use the cert files.

Replace cert files

Warning

If you deployed iRedMail with the iRedMail Easy platform, ssl cert files are stored under /opt/iredmail/ssl/:

mv /etc/pki/tls/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/pki/tls/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/pki/tls/certs/iRedMail.crt
cp privkey.pem /etc/pki/tls/private/iRedMail.key
mv /etc/ssl/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key

Restart network services

Required services:

Depends on the backend you chose during iRedMail installation, you may need to restart:

Verify the cert

See Also