Setting up a CA SSL certificate in hMailServer

I’m a big fan of hMailServer, but the documentation for setting up SSL certificates and the certification chain is a bit lacking.

The easiest way to check if hMailServer is setup correctly is to use OpenSSL.

openssl.exe s_client -showcerts -connect mail.yourserver:995

If one of the last lines has the message “unable to verify the first certificate”, the certification path is incomplete.

If one of the last lines has the message “self signed certificate in certificate chain” and you are NOT using a self signed certificate, things are probably set up OK.

You can also use web based tools such as https://www.sslshopper.com/ssl-checker.html – just remember you need to add a port number (SSL POP3 normally runs on port 995)

hMailServer requires you to provide all certificates in the certification chain. For the image below, this is the SSL cert, TWO intermediate certificates and the Root certificate.

In a nutshell, you need to use a text editor and combine multiple certificates together. Your SSL cert should be at the top, intermediate certs in the middle and root certificate at the bottom.
Something like this:
-----BEGIN CERTIFICATE-----
YOUR SSL CERT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE CERT 1 - The one that signed your SSL cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE CERT 2 (IF APPLICABLE) - The one that signed INTERMEDIATE CERT 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOT CERTIFICATE
-----END CERTIFICATE-----

The simplest way to get everything together is to browse to https://whatsmychaincert.com/, paste the certificate into the box (including the lines with BEGIN and END). Check the “Include Root Certificate” checkbox and click “Generate Chain”.

You should then get a file which includes your intermediate certificates at the top and the root certificate at the bottom.

Open up this file and paste your SSL certificate (including the lines with BEGIN and END) at the top of this file and save it.

This file should now contain your entire certificate chain for use by hMailServer.

Remember, whenever you make any changes to the SSL configuration in hMailServer, you need to restart the hMailServer service.

Good luck!

Posted in General Randomness, PC Tips, Tips

Leave a Reply

Your email address will not be published. Required fields are marked *

*