Seasoned network engineer, Ill admit I’ve a bare-arsed baby’s knowledge on SSL certs though and am hoping for a bit of guidance on going through a cert renewal.
That said Im running hMail on a Windows 10 box, 4 domains hosting mail. No IIS, no webservers, just hMail.
I managed to get hMail up and running great. Using CTW, I was able to get my first letsencrypt certs for all 4 domains, and the wildcard sub for each for a total of 8 hosts (ie harmfamily.com and *.harmfamily.com) on the one certificate. I read this was the easiest and preferred method for this and so far it works great.
I used DNS auth via GoDaddy DNS API for authentication. The “acme” keys in DNS were created and I got a certificate.
For hMail to use these for SSL/TLS, I had to go find my actual cert file in C:\ProgramData\Certify\certes\assets\pfx, and then command line openssl to extract the certificate and key to .pem and .key files. I create a “certs” pair in hMail by giving it these 2 files and a name, “certs”. Lastly, these certs are bound to appropriate SMTP ports to handle the encryption of the mail.
Everything is working perfect at this point. However I’ve got my first 30 days are up soon, and CTW is set to autorenew. Here’s the questions:
I understand there is a CTW service running that will attempt to renew the certificate at this 30 day mark. Assuming it completes correctly, I’ve set it to deploy to Certificate Store only. Does this mean it will put a second, identical certificate (aside from a later expiration date) in the same path (C:\ProgramData\Certify\certes\assets\pfx), as well as in the mmc snapin for certificates, where I will see now 2 certificates, one expiring later than the other?
Knowing I had to manually extract the certificate.pem and private.key from my original certificate using command line openssl to make it work with hMail, do I NEED to do this again, then recreate a new “certs” with these new keys so hMail is updated, OR, will that first .pem/.key set still continue to function?
Nothing is changing on the server. No new or deleted domains, etc.
I think that’s all I’m looking for at the moment. I have read alot and just can’t find enough information that pertains to my situation that gives me confidence I won’t manage to screw this up somehow. Everything is working flawlessly but I have to get comfortable with this new-to-me certificate renewal process, and unt I get a few successes under my belt, I hope I can ask a few questions here and there.
Sorry for the War and Peace uncut edition, just wanted to provide enough background to help you help me. :). Not sure I succeeded, but I tried and I’m happy to clarify if needed. I’d be very grateful for any assistance and guidance, thanks all.