Mail Assure Help

Manage your own SSL Certificates

As an Admin user, instead of using the default system generated certificate, you can manage your own SSL certificates.

Step 1 - Generate a Certificate Signing Request and RSA key from Mail Assure

This step requires that you generate the CSR to send to the Certificate Authority (CA) when applying for a signed certificate. It is vital that you copy and store this information somewhere safe for use in the next steps, otherwise you will have to start this process all over again.

If you already have a Certificate (CRT), and the certificate key (KEY), the certificate signing request (CSR) and the Certificate Bundle (Root Intermediary Certificate) you can skip this step and go directly to step 4 - Step 4 - Upload SSL Certificates and RSA Key.

Before generating an SSL Certificate, ensure the following:
  • Web interface SSL matches the full hostname used to access the Mail Assure Control Panel
  • Incoming certificate matches the MX records
  • Outgoing certificate matches the SMTP hostname used
  1. In the Admin Level Control Panel, select Server > Certificates.
  2. In the Generate Certificate Signing Request (CSR) and RSA Key panel, click on the Generate CSR & RSA Key button.
  3. The Generate Certificate Signing Request (CSR) and RSA Key dialog is displayed.

  4. Enter the details (the Country, Organisation, Email and Server name fields are mandatory) and click Generate.
  5. The next dialog displays the CSR tab containing the Certificate Signing Request and the RSA key tab containing the RSA key.

  6. Copy the contents of the CSR and RSA key tabs - and paste them somewhere safe. You will need the CSR when applying for a signed certificate to the Certificate Authority (CA), and the RSA key will be used later on when uploading the certificate to Mail Assure. See Step 4 - Upload SSL Certificates and RSA Key.

Alternatively, you can Generate a KEY and CSR via a Terminal:

Generate a KEY and CSR via a Terminal

Generate a KEY via a Terminal

  1. Ensure you have OpenSSL installed on your machine.
  2. Create a key and sign the certificate with it using the following command:
  3. openssl genrsa -out 2048

    Replace with the hostname the certificate is intended for.

    The output should be similar to:

    Generating RSA private key, 2048 bit long modulus ......+++ .........................+++ e is 65537 (0x10001)

    The process takes a few seconds before you can go on to the next step.

    Keep the key safe - without it you can’t generate the certificate signing request (CSR). You also need the key later when uploading the certificate.

Generate the CSR via a Terminal

  1. After generating the private key, create the CSR using the following command:
  2. openssl req -new -key -out

    Replace with the hostname the certificate is intended for.

  3. You are asked to enter some information. Enter the details but do not set a challenge password - press Enter when asked.
  4. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: NL State or Province Name (full name) [Some-State]: State Locality Name (eg, city) []: Cityname Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name Organizational Unit Name (eg, section) []: Department Common Name (eg, YOUR name/FQDN) [] Email Address [] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

    The Common Name is important and should match your server CNAME/ Control Panel Hostname settings.

    If, for example, your Control Panel is hosted at, you should enter this as the Common Name. DO NOT enter HTTP:// or HTTPS://

Step 2 - Send the generated CSR to your Certificate Authority (CA)

The CA, on receipt of the CSR, will send you the signed certificate you need. You will also need to download any intermediate certificate(s) and root certificates from the certificate provider's website. (Make sure that you get both intermediate and root certificates and not just the root one as this will not be accepted by the system).

Step 3 - Create PEM file containing certificates and RSA key

Once you have all the information you need from the Certificate Authority, you need to create a PEM file containing (and in the following order):

Next, you need to upload the PEM file to Mail Assure - See Step 4 - Upload SSL Certificates and RSA Key.

Step 4 - Upload SSL Certificates and RSA Key

Once you receive the certificates from the Certificate Authority (CA) and create the PEM file containing these certificates and the RSA Key, you can then upload the PEM file to Mail Assure.

If you already have a wildcard certificate for your domain, you can upload it, but you must ensure the certificate matches your Fully Qualified Domain Name (FQDN) or the browser will display an error stating that the certificate is invalid.

  1. In the Branding > Certificates page, in the Certificate for HTTPS Connections panel, click on Browse and locate the PEM file containing the certificates and RSA key.
  2. A message will be displayed at the top of the page indicating if the upload was successful or not.

  3. Click Save.

You can also upload the certificates from the Admin Level Control Panel in the Branding Management page - see Upload Certificate Bundle Manually.