Gautam-Notes: Difference between revisions
No edit summary |
No edit summary |
||
Line 29: | Line 29: | ||
'''1. Create a Certificate Authority (CA) Certificate''' | '''1. Create a Certificate Authority (CA) Certificate''' | ||
A. First, we create a 1024-bit private key to use when creating our CA. | '''(A).''' First, we create a 1024-bit private key to use when creating our CA. | ||
mkdir /tmp/cert; cd /tmp/cert | mkdir /tmp/cert; cd /tmp/cert | ||
/opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048 | /opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048 | ||
Line 35: | Line 35: | ||
The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key. | The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key. | ||
B. Next, we create a master certificate based on this key, to use when signing other certificates: | '''(B).''' Next, we create a master certificate based on this key, to use when signing other certificates: | ||
/opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer | /opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer | ||
This will create our CA certificate and store it as /tmp/cert/ca.cer | This will create our CA certificate and store it as /tmp/cert/ca.cer | ||
C. Create and sign(self-sign) a certificate from the certificate request | '''(C).''' Create and sign(self-sign) a certificate from the certificate request | ||
/opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key | /opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key | ||
Line 46: | Line 46: | ||
'''2. Create a Client Certificate''' | '''2. Create a Client Certificate''' | ||
A. Create a private key | '''(A).''' Create a private key | ||
/opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048 | /opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048 | ||
B. Create a certificate request | '''(B).''' Create a certificate request | ||
'''Note:''' the most important information is the Email Address. It must be the email address of the Zimbra user. | '''Note:''' the most important information is the Email Address. It must be the email address of the Zimbra user. | ||
/opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr | /opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr | ||
C. Sign the user certificate request using the CA created in 1 and create the user certificate | '''(C).''' Sign the user certificate request using the CA created in 1 and create the user certificate | ||
/opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything | /opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything | ||
'''3. Import the Client Certificate into Web Browsers''' | '''3. Import the Client Certificate into Web Browsers''' |
Revision as of 06:44, 20 June 2011
Single Sign On
SPNEGO The SPNEGO SSO feature allows AD domain users to enter their Zimbra mailbox without having to re-authenticate themselves to Zimbra by entering their Zimbra credentials.
- SPNEGO Configuration
- For ZCO, ensure that the Store Password HKEY is diabled
HKEY_LOCAL_MACHINE\SOFTWARE\Zimbra\StorePassword = 0
SMIME
Certificates
2-way SSL (mutual authentication) using X.509 certificates
Two-way SSL authentication, also commonly referred to as SSL mutual authentication, is the combination of server and client authentication. The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.
For a server authenticating itself to the client, the client must trust the CA who signed the server's certificate.
For a client authenticating itself to the server, the server must trust the CA who signed the client's certificate.
Note: Steps and examples used below are mainly for QA and dev environment.
1. Create a Certificate Authority (CA) Certificate
(A). First, we create a 1024-bit private key to use when creating our CA.
mkdir /tmp/cert; cd /tmp/cert /opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048
The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key.
(B). Next, we create a master certificate based on this key, to use when signing other certificates:
/opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer
This will create our CA certificate and store it as /tmp/cert/ca.cer
(C). Create and sign(self-sign) a certificate from the certificate request
/opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key
2. Create a Client Certificate
(A). Create a private key
/opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048
(B). Create a certificate request
Note: the most important information is the Email Address. It must be the email address of the Zimbra user.
/opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr
(C). Sign the user certificate request using the CA created in 1 and create the user certificate
/opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything
3. Import the Client Certificate into Web Browsers