SSL Certificate Setup IIS 8 (etc.) and Server 2012 (applies to other server versions as well)
Problem reported by Paul Blank - 6/30/2017 at 2:44 PM
This is not a problem per se, but I want to report very positive experiences with namecheap.com / ssls.com (same entity). They have SSL Certs for as little as $5 / year (3 years for $15.00) which should be perfectly good for use with single domains & Smartermail. And their tech support is nothing short of superb. Of course you can buy higher assurance certificates and/or for multiple domains, at higher cost. The price is just great so you can keep a cert or two around just for testing, and while a cert. is active, you can re-key it as often as you like, including, I'm pretty sure, changing the domain name entirely.
I typically generate a 2048-bit CSR using OpenSSL, upload it to ssls.com, and they provide the certificate via download and/or email. The low-assurance certificates are generated quickly; it takes longer for higher-assurance certs, as would be expected. But once you're established in their database, renewals etc. are much quicker.
I just needed to install a cert for SM v15 on Server 2012. With ssls.com you should actually go on chat with them FIRST (instead of beating your head against a wall!) and they will happily walk you through the install. In the case of S2012 / IIS8, there is a conversion required; they provide all the info while staying online with you and will even test your install if the server is live on the 'net. This is so even for their cheap certs., which is just so cool.
BTW with SM installs SSL certificate verification is also not intuitive: when installing the SSL certificate for SMTP, POP, and IMAP. you can only verify the certificate by first clicking "Save,", which then closes that window - ideally the window would stay open, but it's a minor gripe. You then need to re-open the window and click the button for verify.
Lastly, if you are testing the server and it's not in a zone file on the 'net yet, you can add the FQDN to the hosts file on the server and test your IIS cert. locally. On a LAN workstation, you can similarly add it to that machine's hosts file as well for testing, thusly:
c:\windows\system32\drivers\etc\hosts (no file extension on the hosts text file)
Syntax: LAN IP of server, a space or two, then the FQDN (make sure there are no # at beginning of the line -  # means the line is just a comment!)....
x.x.x.x   mail.mydomain.com
This takes effect immediately without rebooting. Remember to remove the entry from the HOSTS file as needed, once you go live. On Windows workstations, you might very well need to copy the hosts file to the desktop (for example), edit it there and copy it back to the etc folder, for Windows security reasons. And it doesn't hurt to save a copy before starting.

8 Replies

Reply to Thread
Bruce Barnes Replied
After three hospitalizations, in three months, I'm getting back into SmarterMail tech support and updating to 16.X, so I'll be able to support all versions back to 7.0. Actually 1.0, if anyone requires support that far back. So, give me a week or so, and open a request via the SmarterMail portal, and I'll see what I can do to make it TLS work on your SmarterMail server. Bruce Barnes, SmarterMail Product Support Specialist. brucecnt@comcast.net or bbarnes@chicagonettech.com.
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
Paul Blank Replied
Wishing you all the best, Bruce!
Shaun Peet Replied
Welcome back! Glad to see that you're coming back into the community and diving into v16. I'll be great to have another set of knowledgeable eyes finding bugs and helping to get them fixed.
Employee Replied
Employee Post
Welcome back, Bruce.  You've been missed.
Richard Frank Replied
I use notepad++ for editing text files. It even asks when you want to save hosts file to go into admin mode. It then shuts down, starts with admin rights, you have to confirm, and then you can save the hosts file.
thanx for this little advertorial ;) for ssls.com
Richard Frank Replied
second that
Paul Blank Replied
Good advice, Richard. And of course I'm paid handsomely by ssls. So much so that if you find a better and/or less expensive alternative, feel free to post that here. ;) back atya

BTW in a month or so I need to renew an EV cert that's currently with Comodo. The ssls price for 2 years is less than half of Comodo's (apples to apples, far as I can see).
Richard Frank Replied
when you use openssl to create your ssl requests for only ssl then check letsencrypt.com,
Let’s Encrypt is a free, automated, and open Certificate Authority.
only for DV certs. The only catch is it's for 90 days. On my Direct Admin servers it will renew automatically, but that's not available on IIS. (edit; I see there are tools for windows too, to renew certs with letsencrypt)

my Dutch ssl supplier asks € 165 for EV single domain for 2 years (without 15% discount), Not as cheap as ssls.com but not as expensive as many others. I think the certificate market is changing rapidly.

Reply to Thread