2
Smartermail SSL Certificates & Domain Cert Authority
Question asked by Tarkan - 12/14/2023 at 7:51 AM
Unanswered
Hello,

Is it possible for Smartertools to provide guidance on the following setup we are trying to implement.

Customer is using Windows 2019 server which is a domain connected computer, they have AD policy in-place issuing certificates to domain computers, 

The computer running Smartermail, automatically gets a new cert issued by the Domain Cert Authority, and IIS is setup to auto rebind on renewed certificates which works well.

The issue they have is that each time the cert is renewed or replaced someone has to export the certificate from the Windows certificate store to the Smartermail folder and rebind the new certificate to each port.

Is there anyway to automate this process, especially using the newly released smartermail 8747 using the certificate folder?

Thanks.

5 Replies

Reply to Thread
0
Zach Sylvester Replied
Employee Post
Hello Tarkan,

Thank you for reaching out to the community. I believe I can assist you with your concern. There is a PowerShell script available in the following link in the bottom section https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx that can export certificates from the certificate store to a folder. If you export the certificate to the same path and it has the same password as the old one, you won't need to modify the bindings inside of SmarterMail. The system should automatically detect the new certificate.

Please let me know if this solution works for you.

Thank you.
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
0
Kyle Kerst Replied
Employee Post
Actually, to add to what Zach said here; our newest version supports the Centralized Certificate Store as well. So, if you configure your certificate process to export a PFX to a common directory you can set that as your certificates directory in Settings>SSL Certificates and SmarterMail should see the updated PFX immediately! More information about this process can be found here in this KB article which details integration with existing SSL solutions. It may not cover your scenario exactly but should help get you going in the right direction.

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Tarkan Replied
Thanks guys,

The powershell script to pull the certficate from the windows cert store will be perfect.

Leaves the question, what should I do about the entries in the Bindings \ Ports? I have set the certificate path and password in each of them.

Should I leave them entries alone, as they use the same certificate that I will be exporting in to the Smartermail certificate folder.
0
Grady Werner Replied
Employee Post
You still need the entries for bindings. Those are what are used as failover when clients don’t support SNI or when a domain sent doesn’t match anything. 
Grady Werner SmarterTools Inc. www.smartertools.com
0
Millennium Systems Replied
I've gone over both articles (new install and update with existing SSL) and I am left with some questions.

1. Directory permissions of C:\SmarterMail\Certificates

Does this need to be an administrative account, or will a regular user account do? What if said account's password is changed do you then also need to go back into SmarterMail > Settings > SSL Certificates > Options and update the password?

2. When updating an install with an existing SSL (single server hostname SSL for all domains), does the password on the Options tab need to match the existing PFX password before uploading the PFX, the centralized store user password, or both?

3. Can automatic SSL be enabled while leaving the SSL port bindings as they are and not upload or change the single hostname SSL location? Or will that break the fallback?

Reply to Thread