Difference between revisions of "Ajcody-Notes-SSLCerts"

m (Ajcody-Notes-CACertOrg moved to Ajcody-Notes-SSLCerts: expanding topic)
m
Line 1: Line 1:
==How To Setup Certs With CACert.org - Free Certs==
+
==SSL Certificate Issues==
  
===Actual CACert.Org Notes Homepage===
+
==Resources For SSL Certificates==
  
Please see [[Ajcody-Notes-CACertOrg]]
 
  
===CaCert.Org References===
+
==Actual SSL Certificate Issues Homepage==
 +
 
 +
Please see [Ajcody-Notes-SSLCerts]]
 +
 
 +
===How To Setup Certs With CACert.org - Free Certs===
 +
 
 +
====CaCert.Org References====
  
 
Free Certs with http://www.cacert.org/  
 
Free Certs with http://www.cacert.org/  
  
===How-To (tested on 5.0.2)===
+
====How-To (tested on 5.0.2)====
  
 
Note, the following :
 
Note, the following :
Line 17: Line 22:
 
included in all steps in case someone is skipping through instructions.
 
included in all steps in case someone is skipping through instructions.
  
====Clean up and start fresh====
+
=====Clean up and start fresh=====
  
 
  su - root
 
  su - root
Line 24: Line 29:
 
  rm -rf *
 
  rm -rf *
  
====Generate new csr====
+
=====Generate new csr=====
  
 
  [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
 
  [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
Line 33: Line 38:
 
  /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
 
  /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
  
====Confirm====
+
=====Confirm=====
  
 
  [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
 
  [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
Line 55: Line 60:
 
   -----END CERTIFICATE REQUEST-----
 
   -----END CERTIFICATE REQUEST-----
  
====Sign up for cacert.org use====
+
=====Sign up for cacert.org use=====
  
 
Goto http://www.cacert.org/
 
Goto http://www.cacert.org/
Line 65: Line 70:
 
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.
 
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.
  
====Get New Server Certificate====
+
=====Get New Server Certificate=====
  
 
Now do a New Server Certificate from your administration page at http://www.cacert.org/
 
Now do a New Server Certificate from your administration page at http://www.cacert.org/
Line 103: Line 108:
 
  -----END CERTIFICATE-----
 
  -----END CERTIFICATE-----
  
====Get Root CA's====
+
=====Get Root CA's=====
  
 
Root CA certs are found here  :  https://www.cacert.org/index.php?id=3
 
Root CA certs are found here  :  https://www.cacert.org/index.php?id=3
Line 113: Line 118:
 
  mv root.crt commercial_ca.crt
 
  mv root.crt commercial_ca.crt
  
====Verify====
+
=====Verify=====
  
 
Let's verify all is good.
 
Let's verify all is good.
Line 126: Line 131:
 
  Valid Certificate: commercial.crt: OK
 
  Valid Certificate: commercial.crt: OK
  
=====Errors - Double check time=====
+
======Errors - Double check time======
  
 
* Date  [is it wrong?]
 
* Date  [is it wrong?]
Line 145: Line 150:
 
*** <pre>/etc/init.d/ntpd start</pre>
 
*** <pre>/etc/init.d/ntpd start</pre>
  
===Deploy CA===
+
====Deploy CA====
  
 
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
 
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
Line 151: Line 156:
 
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
 
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
  
===Restart the webserver===
+
====Restart the webserver====
  
 
  su - zimbra
 
  su - zimbra

Revision as of 18:33, 23 September 2008

SSL Certificate Issues

Resources For SSL Certificates

Actual SSL Certificate Issues Homepage

Please see [Ajcody-Notes-SSLCerts]]

How To Setup Certs With CACert.org - Free Certs

CaCert.Org References

Free Certs with http://www.cacert.org/

How-To (tested on 5.0.2)

Note, the following :

su - root ; cd /opt/zimbra/ssl/zimbra/commercial/

included in all steps in case someone is skipping through instructions.

Clean up and start fresh
su - root
cd /opt/zimbra/ssl/zimbra/commercial/
tar -czvf /tmp/ssl.commercial.backup.tar.gz *
rm -rf *
Generate new csr
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
/opt/zimbra/bin/zmcertmgr createcsr comm -new

This uses the defaults, note the items to change.

/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
Confirm
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
ls -la

There should only be two files and time/date should match - commercial.csr & commercial.key

cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr
 -----BEGIN CERTIFICATE REQUEST-----
[delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV
[delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh
[delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls
[delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
[delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m
[delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75
[delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq
[delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB
[delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT
[delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy
[delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi
  -----END CERTIFICATE REQUEST-----
Sign up for cacert.org use

Goto http://www.cacert.org/

Sign up - https://www.cacert.org/index.php?id=1

Verify the email the confirmation email.

Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.

Get New Server Certificate

Now do a New Server Certificate from your administration page at http://www.cacert.org/

You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].

It'll generate your cert. on the webpage.

Copy this onto the server [paste in cert details]:

vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt
-----BEGIN CERTIFICATE-----
[delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
[delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
[delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
[delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk
[delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3
[delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC
[delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs
[delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb
[delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG
[delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG
[delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y
[delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG
[delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B
[delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5
[delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng
[delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw
[delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz
[delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ
[delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z
[delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6
[delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ
[delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2
[delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A
[delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU=
-----END CERTIFICATE-----
Get Root CA's

Root CA certs are found here  : https://www.cacert.org/index.php?id=3

Do the following on the server:

[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
wget http://www.cacert.org/certs/root.crt
mv root.crt commercial_ca.crt
Verify

Let's verify all is good.

[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt

Giving something like this:

** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK
Errors - Double check time
  • Date [is it wrong?]
    • Install ntpd if it's not
    • Stop ntpd  :
      • /etc/init.d/ntpd stop
    • Set time with  :
      • ntpdate us.pool.ntp.org
    • Confirm time change  :
      • date
    • Confirm hardware clock time  :
      • hwclock
    • Sync hardware clock time  :
      • hwclock --systohc
    • Confirm hardware clock time  :
      • hwclock
    • Start ntpd now  :
      • /etc/init.d/ntpd start

Deploy CA

[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt

Restart the webserver

su - zimbra
zmmailboxdctl restart
Jump to: navigation, search