Help Center

Knowledge Base Home

Call Support

Search the Knowledge Base

Skip to end of metadata
Go to start of metadata


Netmail Archive 5.x
Netmail Archive 6.x


For organizations wishing to access Netmail Search over SSL without getting a certificate warning, it is possible to configure Search to use a trusted certificate.


If you don't have the certificate and need to generate a new request:

  1. Download openssl for Windows from and unpack to a convenient folder.

  2. Copy the openssl.cnf file to the openssl bin directory.

      3. From the openssl bin directory, open a command prompt with elevated privileges.

      4. Using the Fully Qualified Domain Name (FQDN) for which you will request the certificate, run the following command:

           openssl genrsa -des3 -out <NameOfYourCertificate>.key 2048

  • This command will generate a .key file that will be used in the next step. Do not lose the .key file as it is needed throughout this process
  • You will be prompted to enter a passphrase. Make sure that you do not lose or forget it

     5. At the same command prompt, run the following command:

         openssl req -new -key <NameOfYourCertificate>.key -out <NameOfYourCertificate>.csr -config openssl.cnf

  • This will create a .csr file that you will send to a CA, such as Entrust or GoDaddy
  • You will be prompted for the key file passphrase, location information (country, state, city, organization name, organizational unit (e.g., IT) and common name. Note that the common name is the FQDN for which you are requesting the certificate.
  • Create a challenge password and keep it safe; your CA may request it

     6. Send the .csr file to your CA.


Once in possession of a certificate in PEM format (.cer/.crt):

     7. Once you receive the certificate file (.cer/.crt) from your CA, copy and paste it to the openSSL bin directory; the .key file generated in Step 4 must also be in the bin folder.

     8. From the openssl bin directory, open a command prompt with elevated privileges and run the following command: 

        openssl pkcs12 -export -in <NameOfYourCertificate>.cer -inkey <NameOfYourCertificate>.key -out keystore.p12 -name jetty -CAfile <NameOfYourBundle>.cer -caname root

  • This command will generate a file called keystore.p12. You will be prompted to enter an export password.

Do not lose the export password or you will not be able to access Netmail Search!


Once in possession of a certificate in PKCS12 format (.p12/.pfx):

     9. On a machine configured with Java version 6+ (a.k.a.  Java 1.6 or more recent) copy and paste the keystore.p12 file to the Java bin folder; default location is C:\Program Files (x86)\Java\jre6\bin.

   10. From the java bin folder, open a command prompt with elevated privileges and run the following command:

        keytool -importkeystore -deststorepass <export password> -destkeypass <keyfile passphrase> -destkeystore jexcon_keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass <export password> -alias jetty


If the certificate was not generated using the command in Step 8, then the alias in the certificate maybe different than 'jetty'. To find the right alias to use, run this command:

keytool -list -keystore <CertificateFile> -storetype PKCS12

The very first word in the entry is the alias.


  • This command will generate a file called jexcon_keystore.jks
  • Copy and paste jexcon_keystore.jks to the Remote Provider folder, whose default location is C:\Program Files (x86)\Messaging Architects\RemoteProvider

   11. Locate the jetty-ssl.xml file in the Remote provider folder and create a backup.

   12. After creating the backup, edit the jetty-ssl.xml file to be able to connect to the proper keystore path (the jetty-ssl.xml file is also located in the Remote Provider folder):

  • Change the two lines referencing C:\Program Files (x86)\Messaging Architects\RemoteProvider\keystore to C:\Program Files (x86)\Messaging Architects\RemoteProvider\jexcon_keystore.jks
  • Change the port to the one you want to access via SSL
  • Ensure that the passwords for the keyStorePassword, keyManagerPassword, and trustStorePassword parameters are the same as those you entered when you created the keystore

   13. In the xgwxmlv.cfg file (also located in the Remote Provider folder), modify the provider.ssl parameter so that its value is set to true (provider.ssl=true).

   14. Restart the Netmail AWA Remote Provider service.

It should now be possible to access Netmail Search via https:\\<FQDN> from outside the organization.


Help us improve!
Is this article helpful?
Is it well written?
Is the content complete?

  • No labels

1 Comment

  1. A good way to confirm they match is to compare an md5 hash of the private key modulus, the certificate modulus, or the CSR modulus. You can check whether a certificate matches private key, or a CSR matches a certificate on your own computer by using the OpenSSL commands below:

    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5

    Also, if you happen to have the pfx file you can extract the private key and certificate from it as well.

    1. Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
    2. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
    3. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    4. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key