What is AutoInstall SSL™?

A server agent that automates your entire SSL certificate lifecycle. You set it up once, and it takes care of every step from there. At SSL Dragon, it is sold as a bundle with domain validated (DV) certificates from RapidSSL or GeoTrust.

How AutoInstall SSL™ Works

Install the agent with one terminal command, run the certificate install command with your token, and you’re done. The full four-step walkthrough is in “How AutoInstall SSL™ Works” above.

Which SSL certificates are compatible?

The tool supports single-domain and wildcard DV certificates from RapidSSL and GeoTrust. SSL Dragon offers four bundles: RapidSSL Standard + AutoInstall, RapidSSL Wildcard + AutoInstall, GeoTrust QuickSSL Premium + AutoInstall, and GeoTrust QuickSSL Premium Wildcard + AutoInstall.

What servers and operating systems are supported?

Linux (Ubuntu, Debian, CentOS) with Apache or NGINX, and Windows Server (2016–2025) with IIS. Server-level access via SSH or RDP is a prerequisite. Cloud VMs from AWS, Azure, GCP, and DigitalOcean are all compatible. Full details are listed in “Supported Platforms and Servers” above.

Does it work with shared hosting?

No. Shared hosting lacks the server-level access the agent depends on. It works only where you have root or admin privileges. See “Environments Not Supported” above, or visit our SSL installation guides for manual setup options.

How is AutoInstall SSL™ different from Let’s Encrypt or Certbot?

The key differences are warranty coverage (up to $500,000), a CA-issued site seal, 24/7 support, and a managed agent that requires no ongoing maintenance. The full side-by-side breakdown is in the comparison section above. SSL Dragon’s ACME SSL Certificates page covers the alternative protocol-based approach.

How much do the bundles cost?

Starting at $23/yr (RapidSSL Standard + AutoInstall) up to $285/yr (GeoTrust QuickSSL Premium Wildcard + AutoInstall). Every bundle includes both the certificate and the automation agent for one year. See all four options in the pricing section above.

Why is SSL certificate automation becoming necessary?

Maximum certificate validity is dropping to 200 days (March 2026), 100 days (2027), and a 47-day maximum (2029) under Ballot SC-081v3. Domain validation reuse shrinks to 10 days on the same schedule. Renewing by hand at that frequency is unsustainable.

Are wildcard certificates supported?

Yes. Both the RapidSSL Wildcard + AutoInstall and GeoTrust QuickSSL Premium Wildcard + AutoInstall bundles cover unlimited subdomains on a single level (for example, shop.example.com, mail.example.com, app.example.com). Wildcard certificates require DNS-based validation, which the agent handles automatically for supported DNS hosts.

Can I switch if I already have an SSL certificate from another provider?

Yes. The bundles include a new SSL certificate alongside the automation agent. If you currently hold a certificate from another provider, you can transition when your existing certificate comes up for renewal. Once configured, the agent manages all future renewals on its own.

How to Install an SSL Certificate on Kerio Connect

Last updated on June 24th, 2026 by Dionisie Gitlan

In this tutorial, you will learn how to install an SSL certificate on Kerio Connect, importing your signed certificate in the administration console and then setting it as the default certificate for the mail server.

Generate a CSR code on Kerio Connect

If you have already generated your CSR and received the SSL files, skip part 1 and jump straight to the installation steps.

CSR stands for Certificate Signing Request, a block of encoded text that contains your contact details. The Certificate Authority (CA) uses the CSR to verify your credentials before issuing your certificate. Generating the CSR also creates the matching private key, which stays on the server. You have two options:

Use our CSR Generator to create the CSR automatically.
Follow our step-by-step tutorial on how to generate a CSR on Kerio Connect.

When you order, copy the entire CSR text, including the BEGIN and END lines, and paste it into the box on the SSL certificate order page. Important: generate the CSR inside Kerio Connect itself. The Import Signed Certificate from CA option is grayed out unless a matching certificate request already exists on the same server, since the signed certificate has to pair with the private key created alongside that request.

Install an SSL certificate on Kerio Connect

After the CA validates your request and issues the certificate, download the ZIP archive and extract it on your computer. You should have your primary (server) certificate and one or more intermediate (CA) certificates. Kerio Connect expects the certificate as X.509 Base64 in text (PEM) format with a .crt file extension, which is the standard format most Certificate Authorities supply.

Step 1: Import the signed certificate

Log in to the Kerio Connect administration console and go to Configuration > SSL Certificates. Click Import > Import Signed Certificate from CA, then select the .crt server certificate file you received from the CA and confirm.

If you are importing an existing certificate and its private key from another system (rather than one issued from a CSR created here), use the import option that includes the key, and supply the key in PEM format.

Step 2: Set the certificate as default

Importing the certificate does not activate it on its own. In the SSL Certificates list, select the certificate you just imported and click Set as Default. In older Kerio Connect builds this button is labeled Set as Active. This tells the mail server to present this certificate for secured connections (SMTP, IMAP, POP3, and the web client).

Step 3: Add the intermediate (CA) certificates

The server certificate alone is not enough; clients need the intermediate chain to trust it. Kerio Connect gives you two ways to install the chain. Use whichever you prefer.

Method A: place the intermediates in the sslca folder. Stop the Kerio Connect server, copy each intermediate certificate file into the sslca folder, then start the server again. The sslca folder should contain only intermediate certificates. Its location depends on your operating system:

Windows: C:\Program Files\Kerio\MailServer\sslca
macOS: /usr/local/kerio/mailserver/sslca
Linux: /opt/kerio/mailserver/sslca

Method B: combine the server and intermediate certificates into one file

If you would rather manage a single file, merge your server certificate with the intermediate certificate(s) before importing:

Open your issued server .crt file in a plain-text editor (Notepad on Windows, or nano or vi on Linux and macOS).
Paste the intermediate certificate directly below the server certificate. If the CA supplied more than one intermediate, paste them in order, each below the previous one.
Save the file, then import and apply it in Kerio Connect.

The combined file should look like this, with the server certificate first and the intermediate(s) below it:

-----BEGIN CERTIFICATE-----
... contents of your server certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... contents of your intermediate certificate ...
-----END CERTIFICATE-----

Each BEGIN CERTIFICATE and END CERTIFICATE marker line uses exactly five hyphens on each side, with no spaces and no extra characters. A mangled marker line is the most common reason an import or chain fails.

After you set the certificate as default and install the chain, restart Kerio Connect so the new certificate is served. A restart is also required after a renewal or re-issue, even when the domain has not changed. That’s it. Your SSL certificate is now installed and active on Kerio Connect.

Test your SSL installation

After installing the certificate on Kerio Connect, run an SSL scan to confirm the certificate and the full intermediate chain are served correctly and to catch any errors. Because Kerio Connect secures several services, test the relevant ports: the web client on 443, secure IMAP on 993, secure POP3 on 995, and SMTP submission on 465 or 587. Use our SSL Checker to test your SSL certificate.

Frequently Asked Questions

Where do I install an SSL certificate in Kerio Connect?

In the Kerio Connect administration console, go to Configuration > SSL Certificates. That screen is where you import the signed certificate from your CA, set it as the default, and review the certificates already on the server.

Why is “Import Signed Certificate from CA” grayed out?

That option is only available when a matching certificate request exists on the same server. If you generated the CSR somewhere else, Kerio Connect has no private key to pair the signed certificate with, so the option stays disabled. Generate the CSR inside Kerio Connect first, or use the import option that lets you supply the certificate together with its private key in PEM format.

Do I need to restart Kerio Connect after installing the certificate?

Yes, in most cases. Restart Kerio Connect after you set the certificate as default and add the intermediate chain so the new certificate is served. A restart is also needed after a renewal or re-issue, even when the domain is unchanged, and whenever you add intermediates to the sslca folder.

Where does Kerio Connect store intermediate certificates?

Intermediate (CA) certificates go in the sslca folder, which should contain only intermediates. The default location is C:\Program Files\Kerio\MailServer\sslca on Windows, /usr/local/kerio/mailserver/sslca on macOS, and /opt/kerio/mailserver/sslca on Linux. Alternatively, you can append the intermediate to your server certificate file and import the combined file instead.

Why does the mail client still warn about the certificate?

The most common cause is a missing intermediate certificate; the server certificate alone is not enough. Confirm you added the full chain (Step 3) and restarted the server, then re-test. Also check that clients connect using the exact hostname listed in the certificate, since a mismatch between the address and the certificate’s common name or SAN triggers a warning too.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now

Written by Dionisie Gitlan

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.