Ajcody-Notes-SSLCerts: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 1: | Line 1: | ||
==How To Setup Certs With CACert.org - Free Certs== | ==How To Setup Certs With CACert.org - Free Certs== | ||
==Actual CACert.Org Notes Homepage== | ===Actual CACert.Org Notes Homepage=== | ||
Please see [[Ajcody-Notes-CACertOrg]] | Please see [[Ajcody-Notes-CACertOrg]] | ||
==CaCert.Org References== | ===CaCert.Org References=== | ||
Free Certs with http://www.cacert.org/ | Free Certs with http://www.cacert.org/ | ||
==How-To (tested on 5.0.2)== | ===How-To (tested on 5.0.2)=== | ||
Note, the following : | Note, the following : | ||
Line 17: | Line 17: | ||
included in all steps in case someone is skipping through instructions. | included in all steps in case someone is skipping through instructions. | ||
===Clean up and start fresh=== | ====Clean up and start fresh==== | ||
su - root | su - root | ||
Line 24: | Line 24: | ||
rm -rf * | rm -rf * | ||
===Generate new csr=== | ====Generate new csr==== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 33: | Line 33: | ||
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com" | /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com" | ||
===Confirm=== | ====Confirm==== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 55: | Line 55: | ||
-----END CERTIFICATE REQUEST----- | -----END CERTIFICATE REQUEST----- | ||
===Sign up for cacert.org use=== | ====Sign up for cacert.org use==== | ||
Goto http://www.cacert.org/ | Goto http://www.cacert.org/ | ||
Line 65: | Line 65: | ||
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this. | Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this. | ||
===Get New Server Certificate=== | ====Get New Server Certificate==== | ||
Now do a New Server Certificate from your administration page at http://www.cacert.org/ | Now do a New Server Certificate from your administration page at http://www.cacert.org/ | ||
Line 103: | Line 103: | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
===Get Root CA's=== | ====Get Root CA's==== | ||
Root CA certs are found here : https://www.cacert.org/index.php?id=3 | Root CA certs are found here : https://www.cacert.org/index.php?id=3 | ||
Line 113: | Line 113: | ||
mv root.crt commercial_ca.crt | mv root.crt commercial_ca.crt | ||
===Verify=== | ====Verify==== | ||
Let's verify all is good. | Let's verify all is good. | ||
Line 126: | Line 126: | ||
Valid Certificate: commercial.crt: OK | Valid Certificate: commercial.crt: OK | ||
====Errors - Double check time==== | =====Errors - Double check time===== | ||
* Date [is it wrong?] | * Date [is it wrong?] | ||
Line 145: | Line 145: | ||
*** <pre>/etc/init.d/ntpd start</pre> | *** <pre>/etc/init.d/ntpd start</pre> | ||
==Deploy CA== | ===Deploy CA=== | ||
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | [ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] | ||
Line 151: | Line 151: | ||
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt | /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt | ||
==Restart the webserver== | ===Restart the webserver=== | ||
su - zimbra | su - zimbra | ||
zmmailboxdctl restart | zmmailboxdctl restart |
Revision as of 14:20, 24 July 2008
How To Setup Certs With CACert.org - Free Certs
Actual CACert.Org Notes Homepage
Please see Ajcody-Notes-CACertOrg
CaCert.Org References
Free Certs with http://www.cacert.org/
How-To (tested on 5.0.2)
Note, the following :
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/
included in all steps in case someone is skipping through instructions.
Clean up and start fresh
su - root cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.backup.tar.gz * rm -rf *
Generate new csr
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr createcsr comm -new
This uses the defaults, note the items to change.
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"
Confirm
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] ls -la
There should only be two files and time/date should match - commercial.csr & commercial.key
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr -----BEGIN CERTIFICATE REQUEST----- [delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV [delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh [delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls [delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ [delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m [delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75 [delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq [delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB [delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT [delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy [delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi -----END CERTIFICATE REQUEST-----
Sign up for cacert.org use
Sign up - https://www.cacert.org/index.php?id=1
Verify the email the confirmation email.
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.
Get New Server Certificate
Now do a New Server Certificate from your administration page at http://www.cacert.org/
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].
It'll generate your cert. on the webpage.
Copy this onto the server [paste in cert details]:
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt -----BEGIN CERTIFICATE----- [delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv [delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ [delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y [delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk [delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3 [delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC [delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs [delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb [delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG [delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG [delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y [delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG [delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B [delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5 [delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng [delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw [delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz [delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ [delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z [delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6 [delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ [delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2 [delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A [delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU= -----END CERTIFICATE-----
Get Root CA's
Root CA certs are found here : https://www.cacert.org/index.php?id=3
Do the following on the server:
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] wget http://www.cacert.org/certs/root.crt mv root.crt commercial_ca.crt
Verify
Let's verify all is good.
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ] /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
Giving something like this:
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK
Errors - Double check time
- Date [is it wrong?]
- Install ntpd if it's not
- Stop ntpd :
/etc/init.d/ntpd stop
- Set time with :
ntpdate us.pool.ntp.org
- Confirm time change :
date
- Confirm hardware clock time :
hwclock
- Sync hardware clock time :
hwclock --systohc
- Confirm hardware clock time :
hwclock
- Start ntpd now :
/etc/init.d/ntpd start
Deploy CA
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
Restart the webserver
su - zimbra zmmailboxdctl restart