Using your own SSL certificates

ucs-4-1
ssl
mailserver
certificates

#1

By default, certificates created by the UCS CA are used in UCS for the Apache, Postfix, Dovecot (or Cyrus) etc. daemons. As described in the following points, the Apache, Dovecot, Cyrus and Postfix services can be configured for the use of externally created certificates:

Apache

To use your own certificates for the web server Apache , the UCR variables ‘apache2/ssl/certificate’ and ‘apache2/ssl/key’ need to be set to the full path of the certificate files, e.g.:

ucr set apache2/ssl/certificate="/etc/myssl/cert.pem" ucr set apache2/ssl/key="/etc/myssl/private.key"

The service must then be restarted for the changes to take effect:

service apache2 restart

Cyrus

Cyrus was used as IMAP server up to UCS 4.0-1. Since UCS 4.0-2, the default IMAP server is Dovecot (see below).

When configuring the SSL certificates for the IMAP server Cyrus, special attention must be paid to the fact that the files need to belong to the cyrus user and the mail group. It is thus recommended to create an additional copy of the certificates. Following the example above, the configuration could be performed as follows:

cp /etc/myssl/cert.pem /var/lib/cyrus/cert.pem cp /etc/myssl/private.key /var/lib/cyrus/private.key chown cyrus:mail /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key chmod 600 /var/lib/cyrus/cert.pem /var/lib/cyrus/private.key

The UCR variables mail/cyrus/ssl/certificate and mail/cyrus/ssl/key must then be set for Cyrus:

ucr set mail/cyrus/ssl/certificate="/var/lib/cyrus/cert.pem" ucr set mail/cyrus/ssl/key="/var/lib/cyrus/private.key"

The Cyrus server finally needs to be restarted:

service cyrus2.4 restart

Dovecot

Dovecot is the default IMAP server since UCS 4.0-2 and supersedes Cyrus.

The UCR variables mail/dovecot/ssl/certificate and mail/dovecot/ssl/key must be set for Dovecot:

ucr set mail/dovecot/ssl/certificate="/etc/myssl/cert.pem" ucr set mail/dovecot/ssl/key="/etc/myssl/private.key"

Then restart the daemon:

service dovecot restart

Postfix:

The UCR variables ‘mail/postfix/ssl/certificate’ and ‘mail/postfix/ssl/key’ need to be configured:

ucr set mail/postfix/ssl/certificate="/etc/myssl/cert.pem" ucr set mail/postfix/ssl/key="/etc/myssl/private.key"

Then the mail server has to be restarted:

service postfix restart

SSL Zertifikat einbinden
Eigenes Root-Zertifikat einspielen
TLS and SSL for IMAP and SMTP
System Diagnostics - Check Validity Of SSL Certificate
OX Guard HTTP Status 500