Convert LetsEncrypt cert into cer and key for HMailserver

You can convert Let's Encrypt's .pem files into the .cer and .key files needed by HMailServer by either renaming the files directly or by using OpenSSL to formally convert them. Since HMailServer reads the same text-based PEM format, a simple rename is often all you need.

## 1. Understanding Your Let's Encrypt Files

First, you need to locate the files generated by your Let's Encrypt client (like Certbot or Win-ACME). You're interested in two specific files:

• fullchain.pem: This file contains your server's certificate followed by the intermediate certificates. Using the full chain is crucial to ensure email clients trust your certificate without errors.

• privkey.pem: This is your certificate's private key. Keep this file secure and private!

## 2. Conversion Methods

You have two main options to get the files ready for HMailServer.

Method 1: Simple Rename (Easiest)

This method works because both the source .pem files and the destination .cer and .key files are typically expected by HMailServer in the same text-based PEM format.

1. Navigate to the directory where your Let's Encrypt certificates are stored (e.g., for Certbot on Windows, it might be C:\Certbot\live\yourdomain.com\).

2. Copy fullchain.pem and rename the copy to yourdomain.cer (or any name you prefer, as long as it ends in .cer).

3. Copy privkey.pem and rename the copy to yourdomain.key.

That's it! You now have the two files HMailServer needs.

Method 2: Using OpenSSL (The "Proper" Way)

If you want to be more formal or if the simple rename doesn't work, you can use OpenSSL. Many tools, like Git for Windows, come with OpenSSL included.

1. Install OpenSSL if you don't have it. You can download it for Windows from various official distributors.

2. Open a command prompt or PowerShell and navigate to your certificate directory.

3. Run the following commands:

   To create the certificate file:

   Bash

   openssl x509 -in fullchain.pem -out yourdomain.cer

   To create the key file:

   Bash

   openssl rsa -in privkey.pem -out yourdomain.key

   These commands essentially copy the content into new files, ensuring they are correctly formatted as an x509 certificate and an RSA private key, respectively.

## 3. Configuring HMailServer 📜

Once you have your .cer and .key files, you can add them to HMailServer.

1. Open HMailServer Administrator.

2. Navigate to Settings -> Advanced -> SSL certificates.

3. Click the Add... button.

4. In the "Name" field, give your certificate a descriptive name (e.g., yourdomain.com LE Cert).

5. For the Certificate file, click "..." and browse to your newly created yourdomain.cer file.

6. For the Private key file, click "..." and browse to your yourdomain.key file.

7. Click Save.

Now, you must assign this new certificate to your email services (SMTP, IMAP, etc.).

1. Go to Settings -> Protocols -> SMTP and select the SSL/TLS tab.

2. From the SSL Certificate dropdown menu, select the certificate you just added.

3. Repeat this step for your POP3 and IMAP services under their respective settings.

4. Click Save to apply all changes. The server may need a restart to begin using the new certificate.

## 4. Important: Automation is Key 🔑

Let's Encrypt certificates are only valid for 90 days. You must automate the renewal process to avoid service interruptions. Most Let's Encrypt clients allow you to run a script after a successful renewal.

You can create a simple batch script (.bat) to copy the new files and restart the HMailServer service automatically.

Example renewal_script.bat:

Code snippet

@echo off
REM Set your domain and certificate paths
SET DOMAIN=yourdomain.com
SET CERT_PATH="C:\Certbot\live\%DOMAIN%\"
SET HMAIL_SSL_PATH="C:\Program Files (x86)\hMailServer\Externals\SSL\"

REM Copy the new certificate and key
copy %CERT_PATH%fullchain.pem %HMAIL_SSL_PATH%%DOMAIN%.cer
copy %CERT_PATH%privkey.pem %HMAIL_SSL_PATH%%DOMAIN%.key

REM Restart hMailServer to apply the new certificate
net stop hmailserver
net start hmailserver

echo Certificate for %DOMAIN% renewed and HMailServer restarted.

Configure your Let's Encrypt client (e.g., Win-ACME) to execute this script upon successful renewal. This ensures your mail server always has a valid, up-to-date certificate without any manual work.