Ajcody-Notes-SSLCerts: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 155: | Line 155: | ||
su - zimbra | su - zimbra | ||
zmmailboxdctl restart | zmmailboxdctl restart | ||
[[Category: Community Sandbox]] |
Revision as of 22:31, 24 July 2008
How To Setup Certs With CACert.org - Free Certs
Actual CACert.Org Notes Homepage
Please see Ajcody-Notes-CACertOrg
CaCert.Org References
Free Certs with http://www.cacert.org/
How-To (tested on 5.0.2)
Note, the following :
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/
included in all steps in case someone is skipping through instructions.
Clean up and start fresh
su - root cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.backup.tar.gz * rm -rf *
Generate new csr
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr createcsr comm -new
This uses the defaults, note the items to change.
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
Confirm
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] ls -la
There should only be two files and time/date should match - commercial.csr & commercial.key
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr -----BEGIN CERTIFICATE REQUEST----- [delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV [delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh [delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls [delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ [delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m [delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75 [delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq [delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB [delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT [delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy [delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi -----END CERTIFICATE REQUEST-----
Sign up for cacert.org use
Sign up - https://www.cacert.org/index.php?id=1
Verify the email the confirmation email.
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.
Get New Server Certificate
Now do a New Server Certificate from your administration page at http://www.cacert.org/
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].
It'll generate your cert. on the webpage.
Copy this onto the server [paste in cert details]:
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt -----BEGIN CERTIFICATE----- [delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv [delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ [delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y [delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk [delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3 [delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC [delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs [delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb [delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG [delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG [delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y [delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG [delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B [delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5 [delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng [delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw [delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz [delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ [delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z [delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6 [delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ [delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2 [delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A [delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU= -----END CERTIFICATE-----
Get Root CA's
Root CA certs are found here : https://www.cacert.org/index.php?id=3
Do the following on the server:
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] wget http://www.cacert.org/certs/root.crt mv root.crt commercial_ca.crt
Verify
Let's verify all is good.
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
Giving something like this:
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK
Errors - Double check time
- Date [is it wrong?]
- Install ntpd if it's not
- Stop ntpd :
/etc/init.d/ntpd stop
- Set time with :
ntpdate us.pool.ntp.org
- Confirm time change :
date
- Confirm hardware clock time :
hwclock
- Sync hardware clock time :
hwclock --systohc
- Confirm hardware clock time :
hwclock
- Start ntpd now :
/etc/init.d/ntpd start
Deploy CA
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
Restart the webserver
su - zimbra zmmailboxdctl restart