How can we help?




Follow

Custom SSL Certificates

Stewart -

PROBLEM

I get a SSL error with my custom URLs on my atmail cloud account. 

ENVIRONMENT

  • atmail cloud EU
  • atmail cloud US-EAST

CAUSE

When using custom webmail domain with the atmail cloud, SSL certificate served  is for *.atmailcloud.com, causing security warnings. 

RESOLUTION

Please Note: 
STARTTLS is NOT supported at this time. 

Provide us with SSL certificates for your domain. We currently support the ability for customers to have encrypted endpoints via the use of genuine (ie non self signed) SSL certs. 

If you do not currently own SSL certificates for the domain you will need to purchase them from your SSL certificate provider (eg. RapidSSL). This requires generation of a CSR (Certificate Signing Request) and private key, which can be done with the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Fill in the details at the prompts (Common Name - which is the domain you want a certificate for; Organization; Country; etc), then submit the CSR file to your SSL certificate provider.

The certificate should be in a single text file in PEM format and contain the complete chain of trust, including any intermediate certs and the root CA. This ensure that each chain is complete and self contained and does not rely on the central located CA bundle.
The PEM format sees the cert in this specific order

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Please Note:
The private key used to generate the CSR comes first, followed by the domain cert, followed by any intermediates cert(s), with the root CA being the final part of the chain.
The cert should be validated and the private key checked to ensure that the key does indeed match the cert in question. This can be done via the use of openssl on the pem file in question.

To check verification

openssl verify -CAfile <domain>.pem <domain>.pem
Note: Since the file <domain>.pem should contain the whole chain of trust including CA root the file itself is also used as the CAfile to check chain of trust.

To ensure the key matches the certification

openssl x509 –noout –modulus –in <domain>.pem | openssl md5
openssl rsa –noout –modulus –in <domain>.pem | openssl md5
The md5 generated from each of the commands should be the same. If not then the key does NOT match the cert in question.

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com