Back to Community Threads
SSL certificates - moving them from Certify to built in
Question asked by Heimir Eidskrem - 6/28/2024 at 8:14 AM
Unanswered
So we have a certificate with many domains (certify the web) and now I want to move those from that certificate to the built in function in Smartermail (nice function by the way).

Whats the best way of doing that with as little downtime as possible.
Just remove them from Certify and generate them in Smartermail?
Seems to be the way, just want to make sure Im not missing anything there.
Patrick Jeski Replied
6/28/2024 at 9:54 AM
I think you would have new certs quickly enough by enabling built in certificates and turning off Certify. Make sure the paths in Bindings -> Ports match the path that SmarterMail is going to use for the certificates.

I have SmarterMail Automatic Certificates (as a trial) on one server, and I use Certify on the other, and I would never consider switching from Certify to the SmarterMail Automatic Certificates. I am considering switching from SmarterMail on the other server to Certify. CTW just gives you so much more control and flexibility.
Heimir Eidskrem Replied
6/28/2024 at 11:24 AM
I have never done anything to the certificates in Certify besides setting them up.
What kind of control is that you need/get with Certify that SM is missing?
Patrick Jeski Replied
6/28/2024 at 11:47 AM
You can have Certify export the certificate to a location, either locally or remotely (ie SFTP) as a .pfx with a specified password, to multiple places if needed. (or most any format needed) Deployment tasks can be automatic or manual.
Outside of use for SmarterMail, you can have Certify bind certificates to specific service ports, such as DoT or DOH (in my application),
You can have Certify use a specific letsencrypt account with multiple certify installs which can be useful.
You have more control over the renewal frequency.
You can do DNS-01 Challenges to get wildcard certs.
You can specify that Certify use the same private key, or specify a private key, which can be useful for DANE applications.
Even if you let it generate a new private key every time, it's easily accessible if you need it.
You have much more control over the signing algorithm and options.

These are just the features I use, and I am by no means an advanced Certify user.

On the other hand, SmarterMail Certs are easier to set up and if they are set up right they just work.
YS Tech Replied
6/30/2024 at 6:21 AM
I'm having a nightmare with setting these certificates up.
If I place the .pfx file into the SM certificates folder and enter the password everything goes in fine.


I then go and have a look in the Certificates folder and it says invalid password and none of the details are there:

Now if I upload the pfx from the certificates area, all looks fine:


But when I try and use that in the bindings it says its not a valid certificate!


What am I doing wrong?
Surely this should be easier than this?
Patrick Jeski Replied
6/30/2024 at 6:53 AM
Once I got settings -> SSL Certificates right, I had no problem with the bindings EXCEPT that my browser was autofilling the password and so I had to retype it in every binding I opened to change the path.
YS Tech Replied
6/30/2024 at 6:59 AM
How did you get the certificates right?
If I have a cert in the SSL Certificates area that says its ok, I can't seem to bind it as it says its not valid!
If I place the pfx in the certificate folder and than select it then it fails in the certificates page but works with binding!
I'm a bit stuck at the minute.
Patrick Jeski Replied
6/30/2024 at 11:46 AM
It’s been a while but I think the fix was to have the path and password in Settings-> SSL certificates set before placing the certificates in the folder. Then when setting the bindings I only had the issue with password autofill to deal with. Wish I could be more help. 
Kyle Kerst Replied
7/1/2024 at 3:37 PM
Employee Post
Where are you seeing that the SSL certificate is invalid when you try to srt the binding on it? Is that under Settings>Bindings you see it complaining about the PFX? If so, you may be encountering the password autofill issue Patrick noted. To confirm you can try logging on as a system administrator from a guest session in your browser (since it won't have any saved passwords) and see if it works properly from there. I hope that helps! :-)
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
Heimir Eidskrem Replied
7/1/2024 at 5:40 PM
No, its not in that part.
Its not generating certain certificates.  The binding is there.
I did open a ticket today, Dylan logged in to the server but I have not heard back yet.

 
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Move SmarterMail from Hosted to Self-InstalledSmarterMail > Installation and Configuration
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management