"Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way. While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).
First, download "letsencrypt-win-simple" from
This tool simplifies and automates the communication with the Let's Encrypt API.
Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). Bind http://mail.yourmaildomain.com to IIS.
Make sure that Kerio Connect only has https enabled and not http.
Now, run letsencrypt.exe from the folder where you downloaded it. When run for the first time, it will ask you for your email address and to accept the TOS. It will present you with all the current bindings from IIS. Choose mail.yourmaildomain.com.
It will now create the certificate for your mail server. Two files are important
They can be found here:
From Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. Delete any other certificates.
This results in 2 files in
You should now be able to go to the Kerio Connect login web page with
If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock.
Let's Encrypt certificates expire after 90 days, so you should create a scheduled task that renews the certificates and copies them to
overwriting server.crt and server.key. Also this task needs to restart the mailserver service, so the new certificate gets into effect.
Update: With version 9.4 of Kerio Connect, a built-in Letsencrypt functionality was introduced, so this procedure is not needed anymore