Ajcody-Notes-SSLCerts: Difference between revisions
m (Ajcody-Notes-CACertOrg moved to Ajcody-Notes-SSLCerts: expanding topic) |
mNo edit summary |
||
Line 1: | Line 1: | ||
== | ==SSL Certificate Issues== | ||
== | ==Resources For SSL Certificates== | ||
===CaCert.Org References=== | ==Actual SSL Certificate Issues Homepage== | ||
Please see [Ajcody-Notes-SSLCerts]] | |||
===How To Setup Certs With CACert.org - Free Certs=== | |||
====CaCert.Org References==== | |||
Free Certs with http://www.cacert.org/ | Free Certs with http://www.cacert.org/ | ||
===How-To (tested on 5.0.2)=== | ====How-To (tested on 5.0.2)==== | ||
Note, the following : | Note, the following : | ||
Line 17: | Line 22: | ||
included in all steps in case someone is skipping through instructions. | included in all steps in case someone is skipping through instructions. | ||
====Clean up and start fresh==== | =====Clean up and start fresh===== | ||
su - root | su - root | ||
Line 24: | Line 29: | ||
rm -rf * | rm -rf * | ||
====Generate new csr==== | =====Generate new csr===== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 33: | Line 38: | ||
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com" | /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com" | ||
====Confirm==== | =====Confirm===== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 55: | Line 60: | ||
-----END CERTIFICATE REQUEST----- | -----END CERTIFICATE REQUEST----- | ||
====Sign up for cacert.org use==== | =====Sign up for cacert.org use===== | ||
Goto http://www.cacert.org/ | Goto http://www.cacert.org/ | ||
Line 65: | Line 70: | ||
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this. | Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this. | ||
====Get New Server Certificate==== | =====Get New Server Certificate===== | ||
Now do a New Server Certificate from your administration page at http://www.cacert.org/ | Now do a New Server Certificate from your administration page at http://www.cacert.org/ | ||
Line 103: | Line 108: | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
====Get Root CA's==== | =====Get Root CA's===== | ||
Root CA certs are found here : https://www.cacert.org/index.php?id=3 | Root CA certs are found here : https://www.cacert.org/index.php?id=3 | ||
Line 113: | Line 118: | ||
mv root.crt commercial_ca.crt | mv root.crt commercial_ca.crt | ||
====Verify==== | =====Verify===== | ||
Let's verify all is good. | Let's verify all is good. | ||
Line 126: | Line 131: | ||
Valid Certificate: commercial.crt: OK | Valid Certificate: commercial.crt: OK | ||
=====Errors - Double check time===== | ======Errors - Double check time====== | ||
* Date [is it wrong?] | * Date [is it wrong?] | ||
Line 145: | Line 150: | ||
*** <pre>/etc/init.d/ntpd start</pre> | *** <pre>/etc/init.d/ntpd start</pre> | ||
===Deploy CA=== | ====Deploy CA==== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 151: | Line 156: | ||
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt | /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt | ||
===Restart the webserver=== | ====Restart the webserver==== | ||
su - zimbra | su - zimbra |
Revision as of 18:33, 23 September 2008
SSL Certificate Issues
Resources For SSL Certificates
Actual SSL Certificate Issues Homepage
Please see [Ajcody-Notes-SSLCerts]]
How To Setup Certs With CACert.org - Free Certs
CaCert.Org References
Free Certs with http://www.cacert.org/
How-To (tested on 5.0.2)
Note, the following :
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/
included in all steps in case someone is skipping through instructions.
Clean up and start fresh
su - root cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.backup.tar.gz * rm -rf *
Generate new csr
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr createcsr comm -new
This uses the defaults, note the items to change.
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
Confirm
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] ls -la
There should only be two files and time/date should match - commercial.csr & commercial.key
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr -----BEGIN CERTIFICATE REQUEST----- [delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV [delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh [delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls [delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ [delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m [delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75 [delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq [delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB [delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT [delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy [delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi -----END CERTIFICATE REQUEST-----
Sign up for cacert.org use
Sign up - https://www.cacert.org/index.php?id=1
Verify the email the confirmation email.
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.
Get New Server Certificate
Now do a New Server Certificate from your administration page at http://www.cacert.org/
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].
It'll generate your cert. on the webpage.
Copy this onto the server [paste in cert details]:
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt -----BEGIN CERTIFICATE----- [delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv [delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ [delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y [delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk [delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3 [delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC [delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs [delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb [delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG [delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG [delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y [delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG [delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B [delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5 [delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng [delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw [delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz [delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ [delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z [delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6 [delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ [delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2 [delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A [delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU= -----END CERTIFICATE-----
Get Root CA's
Root CA certs are found here : https://www.cacert.org/index.php?id=3
Do the following on the server:
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] wget http://www.cacert.org/certs/root.crt mv root.crt commercial_ca.crt
Verify
Let's verify all is good.
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
Giving something like this:
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK
Errors - Double check time
- Date [is it wrong?]
- Install ntpd if it's not
- Stop ntpd :
/etc/init.d/ntpd stop
- Set time with :
ntpdate us.pool.ntp.org
- Confirm time change :
date
- Confirm hardware clock time :
hwclock
- Sync hardware clock time :
hwclock --systohc
- Confirm hardware clock time :
hwclock
- Start ntpd now :
/etc/init.d/ntpd start
Deploy CA
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
Restart the webserver
su - zimbra zmmailboxdctl restart