Show/Hide Toolbars

Navigation: Procedures

Add SSL Certificate

Scroll Prev Top Next More

This topic only applies to VPOP3 Enterprise.

If you want to use session encryption for connections to VPOP3 Enterprise then you need to install an certificate. The certificate should be for the server name used to connect to your VPOP3 server, eg or You should have a name defined in your domain's DNS records for this server name (an A, AAAA or CNAME record), and your email clients should be configured to use that name when connecting to the server. If you don't do this, then you may get warnings that the certificate name doesn't match the server name. In that case, the connection will still be encrypted, but you lose the benefit of knowing that you are connecting to the correct server (and you aren't subject to a man-in-the-middle attack).

VPOP3 requires the certificates to be in the common PEM format. This is different from the format used by some other Windows software such as IIS etc, but is used for other software including most Linux servers, so it is commonly supported.


Generating and using certificates can be complicated so we recommend either purchasing them directly from us, or from another company which can help with getting them in the correct format for you. If you can get the private key & certificate chain in a suitable format for a web browser such as Apache, then that same private key and certificate chain can be used with VPOP3. Unfortunately, we cannot help with converting private keys & certificates from other formats to PEM format, but there are articles on the Internet explaining how to do this using command-line tools such as OpenSSL.

Basic Steps

The basic mechanism is that you need to generate a CSR (Certificate Signing Request) and Private Key file for your server name using a tool such as OpenSSL or similar. You then submit the CSR to a Certificate Authority such as GeoTrust, Thawte, Comodo or others, and prove your identity to them to show that you are eligible to use that server name (this proof may be as simple as replying to an email to the chosen domain, or as complex as having to send authenticated documents through to them depending on the certificate requirements).

The Certificate Authority will then reply with a signed certificate. You should append the "certificate chain" certificates (supplied by the CA) onto the supplied certificate and install them into VPOP3.

To load the certificate into VPOP3, go to Services -> General ->SSL Settings. Copy & paste the private key PEM file (including the leading -----BEGIN PRIVATE KEY----- and trailing -----END PRIVATE KEY----- lines) into the SSL Private Key box and copy & paste the full certificate chain (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) into the SSL Certificate Chain box, and restart VPOP3.


Using OpenSSL

The instructions below use the command-line OpenSSL tool. You can obtain a pre-compiled version of this toolset from Shining Light Productions.

To generate a CSR and Private Key file, at a command prompt in the OpenSSL\bin directory, run:

openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout vpop3sslk.pem


Enter the details requested by the tool. The most important value is the Common Name value which should be the server DNS name - eg


This will create two files: vpop3sslk.pem is the file you need to install into the VPOP3 SSL Private Key box, csr.csr is the file you need to send to the certificate authority for signing.


Once you have the signed certificate back from the certificate authority, open it in Notepad++ or a similar text editor and append the certificate chain files required by your certificate authority (these are different for different CAs, and change from time to time so we cannot tell you exactly what to do here). Then copy & paste all that into the SSL Certificate Chain box in VPOP3.


If you think this help topic could be improved, please send us constructive feedback