This guide walks you through how to generate a CSR (Certificate Signing Request) on Kerio Connect, the mail server now sold as GFI Kerio Connect since GFI Software acquired Kerio Technologies in 2017.
The product name on the wire and inside the admin console is still Kerio Connect, so the menu paths below match what you see on every version in current support, including the 10.0.x line shipped through 2026.
You generate the CSR inside the Kerio Connect administration console rather than at the shell. The console stores the private key on the server next to the pending request, which means the signed certificate the CA returns can only be imported back into the same Kerio Connect installation that produced the request. Sign in to the admin console as an administrator on the server you want to secure, then follow the steps below.
Generate a CSR on Kerio Connect
Step 1: Open the SSL Certificates screen
Log in to the Kerio Connect administration console (the web interface usually served at https://your-mail-server:4040/admin). In the left navigation, go to Configuration > SSL Certificates. The pane on the right lists every certificate and pending request already on this server, with the active certificate marked as default.
Step 2: Start a New Certificate Request
Click New at the top of the list, then choose New Certificate Request. The New Certificate dialog opens. (The button labeled New Certificate in the same menu creates a self-signed certificate; for a publicly trusted certificate you want New Certificate Request, which produces a CSR you submit to your Certificate Authority.)
Step 3: Fill in the Distinguished Name fields
Use only standard ASCII characters. Non-Latin letters, smart quotes pasted in from a word processor, and accented characters break the CSR. Fill in the form as follows:
- Host Name: the fully qualified domain name (FQDN) clients use to reach the server, for example mail.example.com. For a wildcard certificate, put an asterisk in front of the apex domain, for example *.example.com.
- Organization Name: the full legal name of your company, exactly as registered. This field is verified by the CA for Organization Validation (OV) and Extended Validation (EV) certificates. For Domain Validation (DV), it is ignored, so any short placeholder works.
- Organizational Unit: a department label such as IT. The CA/Browser Forum has deprecated this attribute, so most CAs strip it from the issued certificate. Leave it blank or set a minimal value.
- City: the city where your organization is registered, written in full (for example Los Angeles, not LA).
- State or Province: the full state or province name (for example California, not CA).
- Country: pick your country from the drop-down. Kerio Connect writes the matching two-letter ISO 3166 code into the request.
Click OK. Kerio Connect generates the private key on the server and adds the new request to the SSL Certificates list. The entry is marked as a pending certificate request (not yet a usable certificate) until you import the signed file the CA returns.
Step 4: Export the CSR
Select the request you just created in the list, then click Export > Export Request. Save the file to your computer (Kerio Connect writes it as request.csr by default). Open the file in a plain-text editor such as Notepad, TextEdit (in plain-text mode), nano, or vi. You will see a block like this:
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----
Copy the entire block, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST marker lines (each marker has exactly five hyphens on either side, no spaces). Paste it into the CSR field on your SSL certificate order form. The CA will validate the request and issue your certificate.
Check the CSR before you submit it (optional)
Before pasting the CSR into the order form, it is worth confirming the Common Name and key size are what you expect. Paste the contents of request.csr into SSL Dragon’s Decode CSR tool to read back every field. If the CN, organization, country, or key length looks wrong, return to the admin console, delete the pending request, and start over before submitting to the CA.
On the Kerio Connect host itself, the equivalent command-line check with OpenSSL is:
openssl req -noout -text -in request.csr
Import the signed certificate back into the same server
When the CA returns the signed certificate, you must import it into the same Kerio Connect installation that produced the CSR. The private key never leaves the server, so the issued certificate has to pair with the key stored next to the pending request. In the admin console, go to Configuration > SSL Certificates, click Import > Import Signed Certificate from CA, and select the .crt file the CA sent you.
The Import Signed Certificate from CA option is grayed out unless a matching certificate request exists on the same server. If you generated the CSR somewhere else (for example, with an off-server tool), Kerio Connect has no private key to pair the signed certificate with, and you have to import the certificate together with the matching key in PEM format using Import > Import New Certificate instead.
For the full installation flow, including how to set the certificate as default and add the intermediate (CA) chain in the sslca folder, see how to install an SSL certificate on Kerio Connect.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


