如果想正常使用 SSL 相關的服務，如 HTTPS://、SMTPS(465,587 port)、POP3S(995 port)、IMAP4S(993 port)，您需要一個正確的憑證。網路上有付費及免費的憑證可申請。

免費憑證 ZEROSSL (需有該網域 MAIL 可以驗證)

免費憑證 CertBot (需有該網域 WWW 網站或 DNS 記錄可以驗證)

付費憑證 COMODO SSL

1. 透過 ZEROSSL 網站的步驟，輸入你的網域，他只會允許輸入一個名字，所以請確認你的服務所需的機器位置。比如MX紀錄指向是 mail.ooxx.com ，那你就輸入 mail.ooxx.com

2. 他會要您給對應網域的管理者信箱來進行驗證，所以請確認把該信箱準備好來進行驗證。驗證完後即可產生憑證，下載 zip 裏頭會有以下檔案

3.
private.key 更名為 privkey.pem，
certificate.crt 更名為 cert.pem ，
ca_bundle.crt 更名為 cacert.pem，

將上述 privkey.pem , cert.pem, cacert.pem 三個檔案放到 RaidenMAILD\SSL 目錄蓋掉原本舊檔，重啟服務來套用憑證。

1. 再進行前，請先確定您要用哪種驗證方式，有 http、dns 兩種方式，除非您的 dns 是變更後幾分鐘後生效(比如: godaddy)，不然都是建議使用 http 方式驗證，也就是你要有 www.xxxxxx.com 的網站且可以建目錄建檔案做為驗證之用。(如果要用 dns 驗證方式，請參考官網說明)

2. 透過 CertBot 網站來下載 CertBot 安裝程式，預設安裝路徑為 C:\Program Files (x86)\CertBot，打開 dos prompt 命令列提示字元進到 C:\Program Files (x86)\CertBot\Bin，以我的網站為例，執行

certbot certonly --manual --key-type rsa --preferred-challenges http -m arnor@raidenmaild.com(註1) -d www.raidenmaild.com(註2)

註1: 請改成負責接受資訊的 Email 信箱
註2: 請改成您網域 MX 的內容，比如: abc.com 的 MX 為 mail.abc.com ，您就要申請憑證CN為 mail.abc.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for www.raidenmaild.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

u2w5eHjQhmxJxGjk_rl8nHJwPRhcoFOylHt9ImWUlTI.MqsXsQ8Q-yjqAbhhkEFoasLYhRVruWUIkptzXh9us50

And make it available on your web server at this URL:

http://www.raidenmaild.com/.well-known/acme-challenge/u2w5eHjQhmxJxGjk_rl8nHJwPRhcoFOylHt9ImWUlTI

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\www.raidenmaild.com\fullchain.pem
Key is saved at:         C:\Certbot\live\www.raidenmaild.com\privkey.pem
This certificate expires on 2022-10-27.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Certbot\renewal\www.raidenmaild.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.raidenmaild.com

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\www.raidenmaild.com\fullchain.pem
Key is saved at:         C:\Certbot\live\www.raidenmaild.com\privkey.pem
This certificate expires on 2022-10-27.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1. COMODO 網站需要您先產生 CSR (Certificate Signing Request) 憑證申請要求，請至這邊來產生，請注意 Common Name 要填寫的是你要讓使用者連到伺服器所該用的伺服器位置，通常為您 MX 記錄。填完表格後產生的資料分兩部分，上面是 CSR，下面是您的私鑰，請將整個內容都複製貼到一個文字檔裡，我們等會要用到。

2. 需要貼入 CSR 的時候，就把剛剛的資料這段貼上

3. 再把下面部分的私鑰內容另開一個文字檔存成一個新檔 privkey.pem， 將牠放到 <RaidenMAILD> \SSL 目錄

4. 產生憑證後下載檔案會大概如下內容，

網域名稱.crt 更名為 cert.pem ，
SectigoRSADomainValidationSecureServerCA.crt 更名為 cacert.pem，

再將 cert.pem、cacert.pem 兩個檔案 放入 <RaidenMAILD> \SSL 目錄

5. 經過上述 3,4 步驟，重啟 MAILD 服務來套用憑證即可。

PS: 以上檔案的編碼都需為 ANSI ，如不能載入憑證的的錯誤是 no start line ，請重新把檔案存成編碼為 ANSI 即可。