Gautam-Notes

Revision as of 06:44, 20 June 2011 by Gautam (talk | contribs)


Single Sign On

SPNEGO The SPNEGO SSO feature allows AD domain users to enter their Zimbra mailbox without having to re-authenticate themselves to Zimbra by entering their Zimbra credentials.

 HKEY_LOCAL_MACHINE\SOFTWARE\Zimbra\StorePassword = 0

SMIME


Certificates

2-way SSL (mutual authentication) using X.509 certificates

Two-way SSL authentication, also commonly referred to as SSL mutual authentication, is the combination of server and client authentication. The authentication that is occurring is mutual, or two-way, because the server is authenticating itself to the client, and the client is authenticating itself to the server.

For a server authenticating itself to the client, the client must trust the CA who signed the server's certificate.

For a client authenticating itself to the server, the server must trust the CA who signed the client's certificate.

Note: Steps and examples used below are mainly for QA and dev environment.


1. Create a Certificate Authority (CA) Certificate

(A). First, we create a 1024-bit private key to use when creating our CA.

 mkdir /tmp/cert; cd /tmp/cert
 /opt/zimbra/openssl/bin/openssl genrsa -des3 -out ca.key 2048

The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called /tmp/cert/ca.key, containing our certificate authority private key.

(B). Next, we create a master certificate based on this key, to use when signing other certificates:

 /opt/zimbra/openssl/bin/openssl req -config /opt/zimbra/openssl/ssl/openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer

This will create our CA certificate and store it as /tmp/cert/ca.cer

(C). Create and sign(self-sign) a certificate from the certificate request

 /opt/zimbra/openssl/bin/openssl x509 -req -days 365 -in ca.csr -out ca.crt -signkey ca.key


2. Create a Client Certificate

(A). Create a private key

  /opt/zimbra/openssl/bin/openssl genrsa -out user1.key 2048

(B). Create a certificate request

Note: the most important information is the Email Address. It must be the email address of the Zimbra user.

  /opt/zimbra/openssl/bin/openssl req -new -key user1.key -out user1.csr

(C). Sign the user certificate request using the CA created in 1 and create the user certificate

  /opt/zimbra/openssl/bin/openssl ca -in user1.csr -cert ca.crt -keyfile ca.key -out user1.crt -policy policy_anything

3. Import the Client Certificate into Web Browsers

Jump to: navigation, search