This topic describes how to upload an SSL certificate to Alibaba Mail.
Why do I need an SSL certificate?
SSL certificates provide HTTPS encryption for webmail sites and mailbox applications. They encrypt email transmissions to prevent data from being stolen during transmission. The Alibaba Cloud SSL Certificate service provides a comprehensive and convenient solution for website encryption and application security. Hundreds of thousands of enterprise users trust our service.
Prerequisites
You have completed ICP filing for the domain name and added a CNAME record. You can access the Alibaba Mail web client using the format `mail.yourdomain.com`.
The mailbox is a paid service.
Purchase a domain name certificate for your mailbox
To purchase a domain name certificate, visit the Alibaba Cloud official website and search for Certificate Management Service.
For mailbox applications, you can purchase a wildcard domain name certificate, such as *.aliyun.com. Set Certificate Type to OV Certificate and Certificate Brand to GeoTrust. If you only need a single-domain certificate, purchase one for `mail.yourdomain.com`, such as mail.aliyun.com.
After you purchase the certificate, Alibaba Cloud provides certificates for different applications, such as Apache, Nginx, and IIS. For mailbox applications, download the certificate for Apache.
Upload an SSL certificate
Log on to the Alibaba Mail console using an administrator account. Go to the mail management page. Choose Enterprise Customization > Domain Management > SSL Certificate Management, and then upload the certificate.
You can enter the certificate content by selecting a file or by manually copying the content.
-
This certificate type has only one private key file and one certificate file. The certificate file contains two parts. Open the certificate file in a text editor. The first part, from `-----BEGIN CERTIFICATE-----` to `-----END CERTIFICATE-----`, is the certificate file content. The second part, from `-----BEGIN CERTIFICATE-----` to `-----END CERTIFICATE-----`, is the certificate chain file content.
-
The certificate file contains two parts. Open the certificate file in a text editor. The first part, from `-----BEGIN CERTIFICATE-----` to `-----END CERTIFICATE-----`, is the certificate file content. The second part, from `-----BEGIN CERTIFICATE-----` to `-----END CERTIFICATE-----`, is the certificate chain file content.
-
After you enter the certificate content, click Confirm to upload.
After the certificate is uploaded, you can view the information of the certificate in use on the SSL Certificate Management page. The certificate takes up to 24 hours to take effect.
If the certificate upload fails, the cause might be one of the following issues. Troubleshoot the issue based on the error message and resubmit the correct certificate content.
1. If the error message "Certificate and key do not match" or "Certificate file can only contain one certificate" appears, try swapping the certificate file and the certificate chain file, and then upload them again.
2. The certificate chain is incomplete.
3. The certificate does not match the domain name.
4. The signature algorithm is insecure. The SHA1 algorithm is not allowed.
5. The certificate has expired.
6. The certificate has been revoked.
7. We recommend using trusted certificate providers such as GeoTrust and GlobalSign.
Use the SSL certificate
After the domain name certificate is uploaded, you can access the webmail service over HTTPS. Emails are now sent and received with SSL encryption.