How to configure certificates for HTTPS, IMAP, POP3, and SMTP

PROBLEM

The pre-installed self-signed certificates are not trusted by the browser.  Where do I add my own trusted certificates?  

ENVIRONMENT

• atmail suite 
• atmail mail server

CAUSE

Certificates used during installation are self singed certificates. 

RESOLUTION

A new certificate will need to be generated or purchased.  The same certificate can be used for IMAP, POP, HTTPS, and SMTP.  Please save this certificate on the server and follow this guide to configure the appropriate applications to use the new certificate.  For the sake of this guide, we will assume that the new key is called new_cert.key and new_cert.pem

Nginx certificate setup (webmail)

1. Open the nginx config file. 
   

   vi /etc/nginx/conf.d/atmail.conf 

   The default config should look similar to this.

   server {
   
           listen 443 http2 ssl;
   
           server_name _;
   
           error_log /var/log/nginx/atmail_error;
           access_log /var/log/nginx/atmail_access;
   
           gzip on;
           gzip_types text/plain application/xml application/json application/javascript text/css;
   
           ssl_certificate_key  /etc/pki/nginx/private/atmail.key;
           ssl_certificate      /etc/pki/nginx/certs/atmail.pem;
   #       ssl_trusted_certificate /etc/pki/nginx/certs/letsencrypt_ca.pem;
   ...

2. Place the new certificate key for nginx in the /etc/pki/nginx/private and change its ownership:
   

   # chown root:nginx /etc/pki/nginx/private/new_cert.key

3. Now change its permissions.
   

   # chmod 0640 /etc/pki/nginx/private/new_cert.key

4. Place the new certificate pem file in the /etc/pki/nginx/certs directory and change its ownership:
   

   # chown root:root /etc/pki/nginx/certs/new_cert.pem

5. Now change its permissions.
   

   # chmod 0444 /etc/pki/nginx/certs/new_cert.pem

6. Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.
   

   ssl_certificate_key /etc/pki/nginx/private/new_cert.key; 
   ssl_certificate /etc/pki/nginx/certs/new_cert.pem;

7. Restart nginx and apiserver.
   

   systemctl restart nginx apiserver

 IMAP/POP setup

1. Place the new certificate key for dovecot in the /etc/pki/dovecot/private directory and change its ownership:
   

   # chown root:root /etc/pki/dovecot/private/new_cert.key

2.  Now change its permissions.
   

   # chmod 0640 /etc/pki/dovecot/private/new_cert.key

3. Place the new certificate pem file for dovecot in the /etc/pki/dovecot/certs directory and change its ownership.
   

   # chown root:root /etc/pki/dovecot/certs/new_cert.pem

4. Now change its permissions.
   

   # chmod 0444 /etc/pki/dovecot/certs/new_cert.pem

5. In the admin portal, navigate to Services -> POP3/IMAP and add the paths to the certificate and key file.
   
6. Save changes
7. Publish config

SMTP setup

1. Make a private and certs directory in the exim directory,
   

   # mkdir /etc/pki/exim/private /etc/pki/exim/certs

2. Place the new certificate key for exim in the /etc/pki/exim/private directory and change its ownership.
   

   # chown root:exim /etc/pki/exim/private/new_cert.key

3. Now change its permissions.
   

   # chmod 0640 /etc/pki/exim/private/new_cert.key

4. Place the new certificate pem for exim in the /etc/pki/exim/certs directory and change its ownership.
   

   # chown root:root /etc/pki/exim/certs/new_cert.pem

5. Now change its ownership.
   

   # chmod 0444 /etc/pki/exim/certs/new_cert.pem

6. In the admin portal, navigate to Services -> SMTP and add the paths to the certificate and key file
   
7. Save changes
8. Publish config