Gautam-Notes: Difference between revisions

No edit summary
No edit summary
Line 71: Line 71:


'''(B).''' To import a certificate in Firefox (Firefox 3.6 Mac):
'''(B).''' To import a certificate in Firefox (Firefox 3.6 Mac):
<pre>
- Firefox -> preferences
- Firefox -> preferences
- Click on the Advanced tab
- Click on the Advanced tab
Line 78: Line 79:
- Click on "import"
- Click on "import"
- Use the browse button to select the user1.p12 file.  You will be prompted for the password entered in 3. (A).
- Use the browse button to select the user1.p12 file.  You will be prompted for the password entered in 3. (A).
</pre>

Revision as of 06:54, 20 June 2011

Attention.png - This article is NOT official Zimbra documentation.

Single Sign On

SPNEGO The SPNEGO SSO feature allows AD domain users to enter their Zimbra mailbox without having to re-authenticate themselves to Zimbra by entering their Zimbra credentials.

 HKEY_LOCAL_MACHINE\SOFTWARE\Zimbra\StorePassword = 0


Certificates

2-way SSL (mutual authentication) using X.509 certificates

Two-way SSL authentication, also commonly referred to as SSL mutual authentication, is the combination of server and client authentication. The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.

For a server authenticating itself to the client, the client must trust the CA who signed the server's certificate.

For a client authenticating itself to the server, the server must trust the CA who signed the client's certificate.

Note: Steps and examples used below are mainly for QA and dev environment.


1. Create a Certificate Authority (CA) Certificate

(A). First, we create a 1024-bit private key to use when creating our CA.

 mkdir /tmp/cert; cd /tmp/cert
 /opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048

The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key.

(B). Next, we create a master certificate based on this key, to use when signing other certificates:

 /opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer

This will create our CA certificate and store it as /tmp/cert/ca.cer

(C). Create and sign(self-sign) a certificate from the certificate request

 /opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key


2. Create a Client Certificate

(A). Create a private key

  /opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048

(B). Create a certificate request

Note: the most important information is the Email Address. It must be the email address of the Zimbra user.

  /opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr

(C). Sign the user certificate request using the CA created in 1 and create the user certificate

  /opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything


3. Import the Client Certificate into Web Browsers

Web browsers like Firefox and IE can't use the certificates in the PEM format that is generated by OpenSSL. Consequently, we'll need to export the user certificate to file formats that can be imported by web browsers.

(A). Import the client certificate in PKCS#12 format Firefox and Internet Explorer 6.0 support the PKCS#12 certificate format. Use the following command to convert the user certificate to this format.

  /opt/zimbra/openssl/bin/openssl pkcs12 -export -clcerts -in user1.crt -inkey user1.key -out user1.p12

Copy the user1.p12 file to a location where you can access it from your web browser via the file system.

(B). To import a certificate in Firefox (Firefox 3.6 Mac):

- Firefox -> preferences
- Click on the Advanced tab
- Under Certificates, select "Ask me every time" for "When a server requests my personal certificate".
- Click on "View Certificates"
- Click on the "Your Certificates" tab
- Click on "import"
- Use the browse button to select the user1.p12 file.  You will be prompted for the password entered in 3. (A).
Jump to: navigation, search