The way the internet has evolved means that today, securing connections is all but a prerequisite. To encrypt connections and make sure that whoever you are communicating with is who they claim to be, you need a certificate.
Let’s Encrypt provides free, browser-trusted certificates. Let’s Encrypt’ key advantage (within a DevOps philosophy) is that it is easy to use and therefore to automate the certificate management process which can be complex.
In BlueMind, from version 4.7, everything to do with certificate management is automatic and natively supported: creation, installation and, most importantly, renewal. Once it is set up, you can forget about certificates and let BlueMind handle things.
Should an issue arise during certificate renewal, an email warning will be sent to the address provided on activation of Let’s encrypt every day for five days before the certificate’s expiry.
The certificates are available on all the servers of the BM install.
Let’s Encrypt and domain-specific URLs
Domain-specific URLs are used to manage several clients or domains on one single BlueMind install by offering a specific log in URL for each client. This is particularly useful for shared platforms:
- The host only has one BlueMind install to maintain,
- Each client can have its own log in URL,
- Everything is automatic, whatever the BlueMind architecture (with an Edge server or not…). The only prerequisite is for DNSs to be up to date.
Using certificates
BlueMind still has a main access URL which can be found in the system configuration section of the admin console. You can find out more about this in our technical documentation, Section 1.1 on external URL configuration.
A certificate can be associated with this URL in the admin console’s “Edit the certificate” section – Sections 4.1 and 4.2 of this page (select english as the page language) on certificates for BlueMind version 4.
You can now specify an external URL for each domain (Section 2 on external URL configuration). If a specific URL is set for a domain, this domain can be associated with a dedicated certificate.
If a specific URL is set for a domain but no dedicated certificate has been set up, the main certificate will be used.
In the certificate management pages (main or domain-specific), a certificate can be added as a file, or one can be obtained directly from Let’s Ecrypt. You do need to make sure, however, that the server the bm-core service is running on is able to access the Let’s Encrypt URL, https://letsencrypt.org.
Limitations and rules
- HTTPS: domain-specific certificates are used for HTTPs (web, API, MAPI, etc.) access only.
- At the IMAP/SMTP level, the main certificate is always used.
- From BlueMind 4.8, additional DNS names can be provided. Let’s Encrypt generates a certificate for all these names. This can be used to define names for MAPI auto-set up for instance.
For any additional information about securing BlueMind and certificates, please contact our team.
