Apparently it doesn't like the certificate chain of the CA. While Kopano / Outlook explicitly requires the full chain, Grommunio webapp expects a single certificate only. Similar to Kopano, I actually expected that it would require the full chain + key pair. The error message "Unable to decrypt the certificate" is really misleading.
purchased.pfx = the file you got from your CA
full.pem = contains both, public and private key
privkey.pem = contains the private key only
cert.pem = contains the public key only
grommunio.pem = pkcs12 file for webapp
Extract the public and private key:
#openssl pkcs12 -in purchased.pfx -nocerts -nodes -out full.pem
Get the private key:
#openssl rsa -in full.pem -out private.pem
Get the public key:
#openssl rsa -in full.pem -pubout -out cert.pem
Create a new pkcs12 file:
#openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out grommunio.pfx
