Question
I have been using a self generated certificate pair to test the usage of GMS Secure Socket Layer. Everything works well but because the certificate is not issued by a recognised authority my users get a prompt asking them if they want to accept the certificate. To stop the prompts from appearing I would now like to apply a certificate from a recognised Certification Authority (CA) such as Verisign. What is the procedure for doing this?
Answer
This is quite straight forward. You should do the following:
- Run Keycert.exe which by default is located in the gordanobin or opt/gordano/mail/bin directory on your GMS server.
- Select the "Generate CSR for submission to a CA" option and generate the CSR and private key. Keep a careful note of the passphrase and common name that you use.
- Submit the CSR to your Certification authority following their instructions.
- The Certification Authority will then send you a certificate file.
- Once you have the certificate file, and have saved it to a suitable location on your hard drive, you should run Keycert.exe again. This time select the "Use Existing Certificate" option.
- Please note: Affecting all builds of the software up to v17.00.3759. When you attempt to browse the disk for the relevant files, the Windows box dialog defaults to looking for a .csr file extension.
This is wrong. The .csr is the certificate request file, not the actual certificate file. Instead be sure to look for .cert, .cer or .crt files. - When prompted to enter your key name enter the filename of the private key. This is the file that was created at the same time as the CSR.
- When prompted to enter the certificate name, enter the filename of the certificate file that the Certification Authority has sent you.
- You will then be prompted to enter the common name of the server and the passphrase that you used when you created the CSR.
- You should then stop and start the GMS services.
- Your server will then be using the new certificate pair.
See Also:
Keywords:SSL keycert CA CSR