Knowledge Base Home

Call Support

Search the Knowledge Base

Skip to end of metadata
Go to start of metadata


Messaging Architects Netmail Secure 5.x


By default, Netmail Secure uses a self-signed certificate for securing client communication. For various reasons, some organizations may require the use of a certificate validated by a public Certificate Authority (CA). Secure uses OpenSSL to generate Certificate Signing Requests (CSRs) as well as private keys.


For submission to a CA, and how to replace the default certificate file with the one returned from the CA.

1. The private key and certificate files are stored in the following directory:

  • /opt/ma/netmail/var/dbf, or
  • /opt/ma/netmail/var/netmail/dbf

Due to security considerations for the private key file, you need to have super user rights to read or modify the directory contents. In order to have super user rights, type sudo su from the command line, and then press Enter.

2. Change your working directory to the certificate directory by typing: cd /opt/ma/netmail/var/dbf or /opt/ma/netmail/var/netmail/dbf.

3. The names of the private key file and certificate file are osslpriv.pem and osslcert.pem respectively.

Important: Netmail Secure will only look for files with these names. If you use other files, you should rename the files using these names.

Note: If you prefer to generate a new private key file, please refer to the following OpenSSL HOWTO for more details:

4. Generate a new certificate signing request, using the current private key file: openssl req -new -key ./osslpriv.pem -out ./certreq.csr

Important: Do not enter a challenge password in your CSR or users will be prompted EVERY TIME a new secure session is initiated.

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (e.g., city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g., YOUR name) []: <your_public_dns_name>
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

5. Submit the CSR (certreq.csr) to your preferred CA requesting a certificate in PEM or Apache format.

6. After the CA provides the certificate, copy the supplied .cer, .crt or .pem file to the certificate directory: /opt/ma/netmail/var/dbf or /opt/ma/netmail/var/netmail/dbf. If you are using a key you generated yourself, copy the .key file to the same directory: /opt/ma/netmail/var/dbf or /opt/ma/netmail/var/netmail/dbf.

Important: The private key is required to use the signed certificate you receive from the CA. If you lose the private key, the certificate is useless.

7. Move the old certificate file to another directory & rename: mv ./osslcert.pem /home/netmail/osslcert.pem.old. If using your own key, also move and rename the existing key: mv ./osslpriv.pem /home/netmail/osslpriv.pem.old.

8. Rename the .cer, .crt or .pem certificate file: mv ./<certificate_name>.cer ./osslcert.pem. If using your own key do the same for the key file: mv ./<key_name>.key ./osslpriv.pem

9. Restart Services

service netmail stop
service netmail start

10. Verify your new certificate by directing your browser to the Quarantine/Secure Login or Administration Console via HTTPS: https://<your_public_dns_name>.


For more information on using OpenSSL, please see