How can we help?




Follow

Custom SSL Certificates

Stewart -

PROBLEM

I get a SSL error with my custom URLs on my atmail cloud account. 

ENVIRONMENT

  • atmail cloud EU
  • atmail cloud US-EAST

CAUSE

When using custom webmail domain with the atmail cloud, SSL certificate served  is for *.atmailcloud.com, causing security warnings. 

RESOLUTION

Please Note: 
STARTTLS is NOT supported at this time. 

Provide us with SSL certificates for your domain. We currently support the ability for customers to have encrypted endpoints via the use of genuine (ie non self signed) SSL certs. 

Generate a SSL Certificate

If you do not currently own SSL certificates for the domain you will need to purchase them from your SSL certificate provider (eg. RapidSSL). This requires generation of a CSR (Certificate Signing Request) and private key, which can be done with the following command on any device with openssl installed, such as an Apple MacBook, Microsoft Windows device or Linux device:

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Fill in the details at the prompts (Common Name - which is the domain you want a certificate for; Organization; Country; etc), then submit the CSR file to your SSL certificate provider.

Create a PEM file

The certificate should be in a single text file in PEM format and contain the complete chain of trust, including any intermediate certs and the root CA. This ensure that each chain is complete and self contained and does not rely on the central located CA bundle.
The PEM format sees the cert in this specific order

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Please Note:
The private key used to generate the CSR comes first, followed by the domain cert, followed by any intermediates cert(s), with the root CA being the final part of the chain.
The cert should be validated and the private key checked to ensure that the key does indeed match the cert in question. This can be done via the use of openssl on the pem file in question.

To check verification

openssl verify -CAfile <domain>.pem <domain>.pem
Note: Since the file <domain>.pem should contain the whole chain of trust including CA root the file itself is also used as the CAfile to check chain of trust.

To ensure the key matches the certification

openssl x509 -noout -modulus -in <domain>.pem | openssl md5
openssl rsa -noout -modulus -in <domain>.pem | openssl md5
The md5 generated from each of the commands should be the same. If not then the key does NOT match the cert in question.

Submit the PEM file to atmail

Once you are happy that the PEM file passes the verification tests supply the PEM file to atmail in a support ticket and we will arrange for our Engineers to install the SSL Certificate.

Change your domain routing for the US Platform

If you are on the US platform please change your CNAME entries in your DNS as follows
Your Record Existing target New target
webmail.<domain> webmail.us-east.atmailcloud.com sep.us-east.atmailcloud.com 
imap.<domain> imap.us-east.atmailcloud.com sep.us-east.atmailcloud.com 
smtp.<domain> smtp.us-east.atmailcloud.com sep.us-east.atmailcloud.com 
This is so your connections are routed away from the general SSL Certificate for the platform to your own SSL Certificate held on the SEP servers.
If you are on the EU platform you will be informed by the Support Team of any routing required.

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com