Kerio Connect: Use it with free "Let's Encrypt" Certificates on IIS

"Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way. While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).

First, download "letsencrypt-win-simple" from

https://github.com/Lone-Coder/letsencrypt-win-simple

This tool simplifies and automates the communication with the Let's Encrypt API.

Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). Bind http://mail.yourmaildomain.com to IIS.

Make sure that Kerio Connect only has https enabled and not http.

Now, run letsencrypt.exe from the folder where you downloaded it. When run for the first time, it will ask you for your email address and to accept the TOS. It will present you with all the current bindings from IIS. Choose mail.yourmaildomain.com.

It will now create the certificate for your mail server. Two files are important

mail.yourmaildomain.com-crt.pem
mail.yourmaildomain.com-key.pem

They can be found here:

C:\Users\<username>\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

From Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. Delete any other certificates.

This results in 2 files in

C:\Program Files\Kerio\MailServer\sslcert

server.crt
server.key

You should now be able to go to the Kerio Connect login web page with

https://mail.yourmaildomain.com

If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock.

Renewal

Let's Encrypt certificates expire after 90 days, so you should create a scheduled task that renews the certificates and copies them to

C:\Program Files\Kerio\MailServer\sslcert

overwriting server.crt and server.key. Also this task needs to restart the mailserver service, so the new certificate gets into effect.

Update: With version 9.4 of Kerio Connect, a built-in Letsencrypt functionality was introduced, so this procedure is not needed anymore

Leave a Reply

Your email address will not be published. Required fields are marked *