Using LetsEncrypt SSL Certificate with Communigate Pro

LetsEncrypt has been creating waves since it started providing SSL Certificates for free and has been applauded by many for this. Researchers and Enthusiasts have been providing support to this project by various means viz. integration of LetsEncrypt with various web-servers, automation of the certificate generation process including the renewal.

It is to be noted that although LetsEncrypt provides SSL for free the validity of the certificate is for only 90 Days. In this blog-post we shall be providing the process to integrating LetsEncrypt Certificate with Communigate Pro.

Communigate Pro is one of the leading email solution provider , however, when we wanted to implement these SSL certificates we couldn’t find any tangible information , which would allow us to do the same.

Requirements:

  • 1: Communigate Pro Web-Console
  • 2: Zero SSL or any of the ACME Clients.
  • 3: OpenSSL

Steps


ZeroSSL

1: Generate the Private Key (Save this key to some place safe.)
Note: LetsEncrypt requires the Key-size to be atleast 2048

Generate Account Private Key

openssl genrsa 4096 > ZeroSSLAccount.key

Print your Private Key

openssl rsa -in ZeroSSLAccount.key –pubout

This Key is to be used as ZeroSSL Account-Key


Communigate Pro

  • Generate Server Private Key

openssl genrsa 4096 > emailDomain.key

  • Create the config file as shown, this file is for multiple domains.
    File Name : extfile.conf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = Maharashtra
stateOrProvinceName_default = MH
localityName = Mumbai
localityName_default = Mumbai
organizationName = MWTI
organizationName_default = MWTI
organizationalUnitName = IT
organizationalUnitName_default  = IT
commonName = mwti.net
commonName_max  = 64
emailAddress = contact@escanav.com

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = escanav.com
DNS.2 = mail.escanav.com

  • Generate the CSR

openssl req -new -key emailDomain.key -sha256 -nodes -config extfile.conf -subj “/C=IN/ST=Maharashtra/L=Mumbai/O=MWTI/OU=IT/CN=mwti.net/emailAddress=contact@escanav.com/subjectAltName=DNS.1:escanav.com,DNS.2:mail.escanav.com” -out emailDomain.csr

Note: Use certutil.exe -dump <cert/key/csr> to see/check certificate.

Now that we have generated the Keys for:

  • ZeroSSL
  • Communigate Pro

We logon to Communigate Pro Web-Console and traverse to the following section:

Users –> Domains

We select the configured domain and then traverse to the following section:

Security –> SSL/TLS

Under the Request Client Certificates we choose the following:

PKI Services –> Enabled
Issued by
–> default()

Under the Private Key Section we choose:

Key Size –> Import and then Click on Generate Key button. An additional text-area is displayed with the heading Enter a Custom PEM-encoded Key.

Copy the contents of emailDomain.key, which was generated earlier and paste them in this Text-Area.

Click on Generate Key to submit the private key.

Step 1

Communigate Pro – Private Key Generation

A New section will be presented Certificate Generator, provide the Contact and Click on Create Signing Request. Although this task will generate a CSR, however this cannot be used as a CSR for ZeroSSL, since Communigate Pro used MD5/RSA as the signing algorithm and the requirement is that of SHA256/RSA.

The text-area Certificate Signing Request (CSR) is populated with the MD5/RSA CSR, however we delete the contents in this text-area.

Copy the contents of emailDomain.csr, which was generated earlier and paste them in this Text-Area.


Zero SSL

Browse to https://zerossl.com/ and paste the contents of ZeroSSLAccount.key in the Account Key text-area and contents of emailDomain.csr in the CSR text-area. Select HTTP verification, ZeroSSL TOS and Let’s Encrypt SA and then click on Next.

This is an important step since, you will now be verifying your Domain Name. Make sure that the domain name used is pointing to a web-server in the global DNS Records and is listening on Port 80.

Create the directory structure as mentioned in ZeroSSL

http://domainname/.well-known/acme-challenge/

Note:

  • While using IIS, use command prompt to create the directory structure in the directory which is hoisting the website. Create the file with the contents as mentioned by ZeroSSL.
  • Open The IIS Manager and traverse to the hoisting site and select Mime-Type and add “.” “text/plain” , otherwise IIS will display an error.
  • After the HTTP verification delete the added Mime-Type
  • Multiple Domains when used during the creation of CSR would result in multiple verification requests.

Step 2

ZeroSSL Challenge Verification Link

Before clicking Next, browse to the location, so as to ensure that the contents of the challenge file are visible. After Clicking Next, the Certificate will be generated and will be made available for download.

Step 3

ZeroSSL Certificate Download

Download and store these files in a safe location.

Convert the domain-crt.txt to PEM format, since this is the format which is accepted by Communigate Pro.

openssl x509 -inform PEM -in domain-crt.txt > domain.pem

Copy the contents of domain.pem and paste them into the Enter a PEM-encoded Certificate text-area box and then click Set Certificate button.

Communigate Pro CSR and CRT Sections

Communigate Pro CSR and CRT Sections

The final screen of the adding LetsEncrypt SSL Certificate shows the details of the certificate including the issuer and its expiry date.

Note: Save the Account Number for quick reference

Communigate Pro - after successfully adding the Certificate

Communigate Pro – after successfully adding the Certificate

Enabling the HTTPS Listner

We logon to Communigate Pro Web-Console and traverse to the following section:

Settings –> Services –> HTTPU –> Init SSL/TLS –> On

Communigate Pro - Enabling HTTPS Listener

Communigate Pro – Enabling HTTPS Listener


Verifying the Certificates

Certificate - Validated

Certificate – Validated

Certificate

Certificate

  • Authors : DeepakS and SachinR
This entry was posted in eScan 11 and tagged , , , , . Bookmark the permalink.