I can follow the command line directions but it seemed to me that there could be an easier way. Within Xeams, on the Keystore Parameters page, option 3 talks about how to import a certificate from an IIS server, and it mentions using a PKCS12 certificate. If that's the case then I figured I could just create the PKCS12 certificate and install.

To get to the Xeams Keystore Parameters page, click on Server Configuration and select SMTP Configuration from the drop down. On the SMTP Server Configuration page click the gear icon on the Enable STARTTLS line.

Certificates can be expensive, but StartSSL provides class 1 (lower trust level) certificates for free. Simply sign up, become verified, and then build your certificates with their web interface. No need to create a CSR (certificate signing request) and send it to a certificate authority. The StartSSL website isn't the most intuitive, but it's worthwhile to spend some time figuring it out. I'm currently using free StartSSL certs for a couple of IM servers, Zimbra, Astaro, ScreenConnect, and Xeams. I used self signed certificates for years, but it's nice to have a free source of signed certificates.

Once your StartSSL account is established you can move on to creating your first certificate. For Xeams use the web server certificate option. This process will produce a private key file, and a certificate. To create the PKCS12 certificate you will need these two files, along with the password you specified during the certificate creation process.

On the StartSSL page select the Tool Box tab and then select Create PKCS#12 (PFX) File. You will need to copy and paste your private key and your certificate into the text boxes, and also enter your password. You will then be able to download your new PKCS12 certificate.

The certificate will have a wacky name. I renamed mine to my domain name with a p12 extension (xeams.mydomain.com.p12), but the name isn't important. Copy the certificate into the Xeams config folder and then enter the path and file name on the Keystore Parameters page. In my case it was config/xeams.mydomain.com.p12. Enter the password used when creating the certificate, and select PKCS12 for the Keystore type. Click Save and restart the server. No need to edit any configuration files.

I'm not an expert on Xeams or certificates, but this method appears to have worked for me. I can now connect to the Xeams web interface using HTTPS without the browser complaining, and MXToolbox says that TLS is enabled. If anyone sees a potential problem with how I've obtained and installed my certificate then please let me know.

After I figured out that a PKCS12 certificate could be used it was pretty easy for me to create the certificate and get it installed because I had previously spent time figuring out StartSSLs website and certificate creation process. I'm sure it will be more work for someone starting from scratch. While researching the use of SSL certificates in Xeams I came across an option that I would like to mention. Synametrics, the company that produces Xeams, will obtain and install a certificate on your behalf for $39 plus the cost of the certificate. So if you get stuck then there's a reasonably priced support option. Regular support is $799 a year, or $299 per request. Comparatively $39 is cheap to get help.  http://www.xeams.com/help4ssl.htm

Rob