Shortcut to this article: opensrs.help/ssl-installation
If you are interested in covering your brand/company's hosted email domain with an SSL so your customers can browse to the Webmail address of mail.domain.tld and use that URL for your incoming/outgoing mail servers on email software, you've come to the right place. We already provide free SSL connections to end-users who wish to use SSL to access the webmail or configure their email clients(Outlook, Mac Mail, Thunderbird, etc.). You will not need to maintain or pay for the SSL certificate if you use our default mail servers for your email service.
Cluster A: mail.hostedemail.com OR mail.emailhome.com
Cluster B: mail.b.hostedemail.com OR mail.mailconfig.net
However, if you would like your customers to access Webmail over a custom subdomain URL (e.g., mail.acmeinc.biz) that is covered by an SSL, we can install the SSL certificate for you on our hostedemail servers. To get started, make sure that the domain (e.g., acmeinc.biz) exists under the Email section in the Reseller Control Panel. Also, please map your subdomain (e.g., mail.acmeinc.biz) to our email server using a CNAME record.
- Options for SSL installation
- Installation costs
- Frequently asked questions
- Can a reseller account have multiple custom SSL subdomains?
- If I already have a certificate containing the SAN I want to use, can I provide that for installation?
- If I purchase a wildcard certificate, can I have unlimited subdomain email logins?
- Can the certificate be installed on a root domain?
- Can I have you install a certificate that is installed on many other servers I own? (For a SAN certificate)
Options for SSL installation
CSR generated by OpenSRS
OpenSRS generating the CSR is the preferred option for security concerns. If you are choosing to have the CSR generated by us, but you are purchasing the SSL, we require the below details to generate the CSR.
|Subdomain to use (e.g., mail.acmeinc.biz)||Data Required|
|State (full state name)||Data Required|
|Locality (full city name)||Data Required|
|Organization (full legal company or personal name)||Data Required|
|Organizational Unit (branch of the organization)||Optional|
Please email us the required information. We will then generate a CSR for you that can be used to purchase an SSL certificate. The certificate can be purchased through the OpenSRS control panel or from other providers. When ordering the certificate, please choose Apache or Apache+modSSL as the server type. We support 2048 bit encryption only, so please do not obtain a certificate with a higher or lower level of encryption.
CSR generated by the reseller
If you have already generated your own CSR and purchased the SSL, please contact our team to send us the private key along with the certificate details. A password-protected file is required to send us the certificate details, and you would need to call OpenSRS support to provide the password.
Certificate installation and renewal takes about one week, the complete process from start to finish may take two or more weeks (this would include CSR generation), so please allow ample time.
The MX records of your domains should be mapped to our hostedemail email server before requesting the installation. Unless you have a SAN covering their subdomain, their mail DNS record should be left blank or permanently redirected to your subdomain (e.g., mail.acmeinc.biz). They should be using your company's branded subdomain for the email service, not their own.
- Initial installation cost: $100
- Reissue of the SSL certificate: $100
- Renewal of the SSL certificate: $100
- Any situation where reinstallation is required: $100
Frequently asked questions
Can a reseller account have multiple custom SSL subdomains?
Yes, though it is not recommended. Each reseller should ideally have one subdomain, such as mail.acmeinc.biz, where all customers sign in. One single subdomain is right for brand reinforcement, as well as easier troubleshooting for your support staff. However, if you would still like to have multiple subdomains, you can provide us with one cert per subdomain or a SAN certificate containing all the subdomains you would like to have, such as webmail.acmeinc.biz, mail.betacorp.com, centicorp.email, finance.foxtrotcorp.org.
Some certificate vendors allow up to 100 SANs per certificate. For this setup, however, please keep in mind the following caveats:
- If you add/remove common names from your cert and need the cert reinstalled, the installation fee of $100 applies per reinstall.
- If the end-user checks the content of the cert, they will see all the SANs listed on the cert.
- Since an IP is assigned to the cert, the reverse DNS lookup of that IP will be assigned to the primary subdomain on the cert. Please let us know if you prefer to have another subdomain for the IP in the PTR record.
The CNAME for these common names will need to be mapped to the right cluster to prevent browser certificate errors.
If I already have a certificate containing the SAN I want to use, can I provide that for installation?
Yes. Keep in mind that if you have to re-issue the cert for any reason and the cert has to be reinstalled on our end, the installation fee of $100 applies per reinstall. Please contact OpenSRS Support so we can obtain the private key from you in a secure manner.
If I purchase a wildcard certificate, can I have unlimited subdomain email logins?
Yes. If you provide a certificate such as *.acmeinc.biz, you can have an unlimited number of subdomains, such as mail.acmeinc.biz, signin.acmeinc.biz, email.acmeinc.biz, webmail.acmeinc.biz.
The CNAME for each subdomain would need to be mapped to the right cluster to prevent browser certificate errors.
Can the certificate be installed on a root domain?
Yes, the certificate can be installed on a root domain, such as acmeinc.biz. For such an installation, please request a CSR from us and purchase the certificate with the CSR. After the installation, we will reply with an IP address so that the root domain can be mapped to the IP.
Can I have you install a certificate that is installed on many other servers I own? (For a SAN certificate)
Yes, please see the above details, and reach out to us as we would require the private key securely sent to us, we will provide instructions for this.