Everything about certificates (cPanel/WHM)

[thisisit3]

So you want to change/update your secure ESMTP certificate? or how about your secure IMAP certificate? Read on!

Several different protocols support secure communications and the most typical encryption used is SSL (don't confuse it with SSH, entirely different beast). SSL encryption is based on three things: the Certificate Request (CSR), the Private key (KEY) and the Certificate (CRT) itself.

The idea is this, you generate a CSR + KEY pair, you give them to your certificate authority issuer and the issuer gives you back your CRT which is signed by him.

Side note: You may act as the issuer yourself, at which point the CRT is said to be "self signed". Such certificates will work fine and provide full encryption like every other certificate. The only issue is that the client will pop a warning to the user and say that the issuer isn't known (true since you generated the certificate and not one of the world wide publishing issuers).

At this point you either generate your own certificate (self signed) or get a properly signed certificate. In order to get a properly signed certificate you need to buy it from an issuer, there are loads of them around the internet with several different price ranges. Jag can also do that, just open a ticket and ask for an SSL certificate to be issued for your server.

An alternative is to go to CACERT, they are giving signed certificates for free, but currently they aren't recognized by client software (mozilla, IE, etc). Its all political from there on, since the big cartels on certificates are waging a war against them (free certificates means an end to their profits).

Anyway, lets move on and take a look at all the different protocols and applications that use certificates:


HTTP - apache

Apache is the web server used by almost everyone and if you are using cPanel/WHM then you are using it already. Since you are on VPS or Dedicated your WHM has full root access and as a result it gives you access to upload SSL certificates (this may also be true for some resellers with extra access).

Code:

In order to install/update/delete an SSL certificate, just go to: WHM -> Web SSL/TLS section, there you get the following options:

- Delete a SSL Host
- Generate a SSL Certificate and Signing Request
- Install a SSL Certificate and Setup the Domain
- List SSL Hosts
- Purchase & Install SSL Certificate

Once you've used the "Install a SSL Certificate and Setup the Domain" option, your apache configuration /etc/httpd/conf/httpd.conf should contain the relevant lines for the particular domain you installed the certificate.

The relevant files are copied under:

CRT: /usr/share/ssl/certs
KEY: /usr/share/ssl/private

In order to install a certificate, click on the "Install a SSL Certificate and Setup the Domain" option and fill the relevant boxes. You need to type the domain name first (once you hit TAB, the page reloads with all the bits filled in), then the dedicated IP address of that domain. Finally, copy/paste the CRT in the top box and the KEY in the bottom box.

Remember that in order to install an SSL certificate on a domain, that domain must have a dedicated IP address!


IMAP - courier-imap

IMAP is the email server/daemon protocol for communicating with email clients, the evolution of POP3, which includes "folders" and other neat features.

IMAP is encrypted via SSL on port 993 (unencrypted IMAP uses port 143). If you are using cPanel/WHM then you are already using the courier-imap server. So far i haven't found a way to update the SSL certificate via the WHM interface, so we have to do it by hand.

Code:

The SSL certificate (CRT+KEY) for IMAP is stored in the file: /usr/local/cpanel/etc/cpanel.pem

It includes both the CRT and KEY in one file. Just take your KEY and CRT, put then in that order in a text file without any space between them and you are done. Just overwrite the existing file (make a backup first) and test your connection with an email client that supports SSL encryption.

This is the same file used for POP3 SSL (see next section).

POP3 - courier-imap

POP3 is the most widely used email communication protocol for email clients to talk to email servers, IMAP from above is the evolution of POP3 but its more popular because most client/servers still use it/support it.

POP3 is encrypted via SSL on port 995 (unencrypted POP3 uses port 110). As you may have noticed, POP3 is "served" by the IMAP server above (courier-imap). As a result, it uses the exact same file for the key.

Code:

The SSL certificate (CRT+KEY) for POP3 is stored in the file: /usr/local/cpanel/etc/cpanel.pem

It includes both the CRT and KEY in one file. Just take your KEY and CRT, put then in that order in a text file without any space between them and you are done. Just overwrite the existing file (make a backup first) and test your connection with an email client that supports SSL encryption.

This is the same file used for IMAP SSL (see above).

SMTP - exim

SMTP is the protocol used to transfer emails (email to server and server to server) but not for clients to receive email, just to send. This may be confusing to people not technicaly oriented, so yes there are two protocols, one to receive emails and another to send emails and SMTP is the protocol for sending emails, which is also used by servers to transport emails around.

SMTP is encrypted via SSL on port 465 (unencrypted SMTP uses port 25). SMTP is served by "exim", a widely used mail transport agent (MTA) also known as a good replacement for the older sendmail. Sendmail is another MTA also very popular but older and much harder to configure, since cPanel/WHM uses exim, we'll focus on that one only.

Code:

The SSL certificate (CRT) for SMTP is stored in the file: /etc/exim.crt
The private key (KEY) for SMTP is stored in the file: /etc/exim.key

Place your CRT in the exim.crt file and your KEY in the exim.key file (make a backup of the existing files first).

Misc notes

- All certificates are in plain text format, also known as X.509 format. This format looks like:

Code:

-----BEGIN CERTIFICATE-----
random characters here...
-----END CERTIFICATE-----

- courier-imap provides two scripts that can generate self signed certificates, they are located at /usr/lib/courier-imap/sbin or /usr/lib/courier-imap/share/ (mkimapdcert and mkpop3dcert).

[Ron]

You're great!

[Guavabase]

Under the Service Configuration menu, Manage Service SSL Certificates will allow you to install certificates without having to SSH in.

Thought this might be useful.

[akreider2]

I need help understanding the Manage Service Certificates page.

I'm trying to
"Install CRT for Exim (SMTP) Server"

1) I first use Domain this CRT is for - click on Browse - then choose vps.domain.org

2) it pastes a lot of stuff into the two boxes

3) I hit submit on "Install CRT for Exim"

4) I get a lot of system messages. Looks like it worked.

But then I go back to look at Manage Service Certificates - and it still says my Exim certificate is going to expire on the same date.

Do I need to do anything else?

[JPC-Anoop]

Hi,

Please try the option 'Reset Certificate' corresponding to Exim.

If you need any assistance on this, please open a ticket and we can check it for you.

[akreider2]

That worked!