Cone can use SSL certificate authentication, in lieu of a userid and a password, for logging into a POP3 or an IMAP mailbox, or for sending mail using authenticated SMTP, if this functionality is supported by the server.

A master password must be set up before installing SSL certificates. See Master Passwords. Setting up SSL certificates is a two-step process. First, the SSL certificte must be imported into Cone. Then, the mail account is configured to use SSL certificate authentication.

Pressing C from the main menu opens the certificate import screen. Press I to import a certificate, then choose the filename using the following dialogs.

The file with the SSL certificate must be a PEM-formatted certificate file that holds both the certificate and the corresponding key. The file should have a BEGIN CERTIFICATE section followed by a BEGIN RSA PRIVATE KEY section (or a BEGIN DH PRIVATE KEY section). Passphrase-protected keys are not supported by Cone. If the SSL certificate is signed by an intermediate certificate authority, the authority's certificate should follow the private key section.

The certificate screen shows a list of all imported certificates. A default name is initially given to an imported certificate, based on its subject. Press R to rename a certificate. Press D to delete a certificate.

Importing at least one certificate activates an account option for choosing an SSL certificate. The new button appears on the New Account (and the Edit Account) screen. The button also appears on the main Setup screen, below the SMTP server's name. Choosing the button pops up a list of imported SSL certificates to choose from.

Renewing SSL certificates

An additional prompt is issued when importing a certificate with a name matching the name of one of the existing certificates. Confirm the prompt to replace the existing certificate with the new one. All accounts that use that certificate for authenticating are automatically updated.

To effectively renew a certificate in this manner, the new certificate's name must match the name of an existing certificate, exactly.