SMIME ZWC Certificates: Difference between revisions

No edit summary
 
(26 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{BC|Certified}}
{{BC|Certified}}
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=S/MIME certificates=
=S/MIME certificates=
{{KB|{{WIP}}|{{ZCS 9}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}}
<hr>
 
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}}
<hr>


=Overview:=
=Overview:=
Line 25: Line 24:
   https://www.sslshopper.com/email-certificates-smime-certificates.html
   https://www.sslshopper.com/email-certificates-smime-certificates.html


2. There are few companies which provides S/MIME free for a year or 30 days
2. There are few companies which provides S/MIME free for a year or 30 days.


   https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls
   https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls
Line 45: Line 44:
* Convert certificate into .p12. Set “Export Password”  which will be used during the upload of S/MIME to Zimbra web client.
* Convert certificate into .p12. Set “Export Password”  which will be used during the upload of S/MIME to Zimbra web client.
   openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12
   openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12
Above command would fail if OpenSSL is FIPS compliant [https://github.com/openssl/openssl/issues/19997 please refer issue]. Use below command to generate pkc12 format file with FIPS check disabled:
  openssl pkcs12 -propquery '-fips' -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12


'''Note:''' In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).
'''Note:''' In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).
Line 51: Line 52:
   zmprov mcf zimbraSmimeOCSPEnabled FALSE
   zmprov mcf zimbraSmimeOCSPEnabled FALSE
   zmpro fc all
   zmpro fc all


=Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.=
=Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.=


1. Be sure, your ZCS is installed with Network Edition version of the product and license includes S/MIME users.
1. Be sure, ZCS is installed with Network Edition version of the product and license includes S/MIME users.
    
    
   su – zimbra
   su – zimbra
Line 62: Line 62:
2. Check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.
2. Check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.


[[File:zimbra-smime-01.png]]
[[File:zimbra-smime-01.png|800px]]


Note: Disable com_zimbra_smime zimlet which is an old zimlet not used anymore.
'''Note:''' Disable com_zimbra_smime zimlet which is an old zimlet not used anymore.


3. Enable SMIME feature from CLI or GUI. Taking two users in lab to show you SMIME working.
3. Enable SMIME feature from CLI or GUI. Taking two users in lab to show you SMIME working.
Line 78: Line 78:


4. Upload the S/MIME certificate into ZWC of a user, which was purchased from any SSL provider.
4. Upload the S/MIME certificate into ZWC of a user, which was purchased from any SSL provider.


Presences > Secure Email > Browse to certificate
Presences > Secure Email > Browse to certificate


'''Note:''' It will ask the password of your SMIME certificate.
'''Note:''' It will ask the password of your SMIME certificate.
    [[File:zimbra-smime-02.png]]


    [[File:zimbra-smime-03.png]]
[[File:zimbra-smime-02.png|800px]]
[[File:zimbra-smime-03.png|800px]]
[[File:zimbra-smime-04.png|800px]]


    [[File:zimbra-smime-04.png]]
'''Note:''' Same steps has to be followed for other user to upload S/MIME certificate.


'''Note:''' Same steps have to be followed for an another user to upload a S/MIME certificate.


== Exchange public key for sending encrypted email. ==
== Exchange public key for sending encrypted email. ==
Line 100: Line 96:
1. Sending a signed email from one user to other.
1. Sending a signed email from one user to other.


    [[File:zimbra-smime-05.png]]
[[File:zimbra-smime-05.png|800px]]


2. Reply back from other user with a singed email.
2. Reply back from other user with a singed email.


    [[File:zimbra-smime-06.png]]
[[File:zimbra-smime-06.png|800px]]
 
Note: Now both users have exchanged their public key with each other and ready to send an encrypted email.


'''Note:''' Now both users have exchanged their public key with each other and ready to send an encrypted email.




== Sending an encrypted email from one user to other user. ==
== Sending an encrypted email from one user to other user. ==


1. Compose an email and select “Sign and Encrypt” before sending.
1. Compose an email and select “Sign and Encrypt” before sending.


    [[File:zimbra-smime-07.png]]
[[File:zimbra-smime-07.png|800px]]


2. Other user is able to view the email with singed and encrypted icon.
2. Other user is able to view the email with singed and encrypted icon.


    [[File:zimbra-smime-08.png]]
[[File:zimbra-smime-08.png|800px]]
 




Line 127: Line 120:
* If the following error appears in the web client while importing a S/MIME into ZWC and below Exception appears in the mailbox.log, that means either Intermediate certificate of S/MIME was not added to java keystore on the mailbox server or S/MIME is revoked not verified by CA authority.
* If the following error appears in the web client while importing a S/MIME into ZWC and below Exception appears in the mailbox.log, that means either Intermediate certificate of S/MIME was not added to java keystore on the mailbox server or S/MIME is revoked not verified by CA authority.


    [[File:zimbra-smime-09.png]]
[[File:zimbra-smime-09.png|800px]]


{code}ExceptionId:qtp1225197672-127788:https://10.137.26.222/service/soap/SaveSmimeCertificateRequest:1601142698929:af56e9d5dddf72ce
ExceptionId:qtp1225197672-127788:https://10.137.26.222/service/soap/SaveSmimeCertificateRequest:1601142698929:af56e9d5dddf72ce
Code:smime.CERT_VALIDATION_FAILED
Code:smime.CERT_VALIDATION_FAILED
         at com.zimbra.cs.service.smime.SmimeServiceException.CERT_VALIDATION_FAILED(SmimeServiceException.java:87)
         at com.zimbra.cs.service.smime.SmimeServiceException.CERT_VALIDATION_FAILED(SmimeServiceException.java:87)
         at com.zimbra.cs.smime.SmimeCryptoUtil.validateCertificate(SmimeCryptoUtil.java:347)
         at com.zimbra.cs.smime.SmimeCryptoUtil.validateCertificate(SmimeCryptoUtil.java:347)
Line 139: Line 132:
         at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
         at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
         at java.base/java.lang.Thread.run(Thread.java:830)
         at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors{code}
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors




Line 153: Line 146:
   su - zimbra
   su - zimbra
   zmprov mcf zimbraSmimeOCSPEnabled FALSE
   zmprov mcf zimbraSmimeOCSPEnabled FALSE
   zmpro fc all
   zmprov fc all


* The following java error appears if an old zimlet (com_zimbra_smime) is enabled which is not supported.
* The following java error appears if an old zimlet (com_zimbra_smime) is enabled which is not supported.


    [[File:zimbra-smime-10.png]]
[[File:zimbra-smime-10.png|600px]]
 
'''Solution:'''  Disable the old zimlet  (com_zimbra_smime) and enable the new zimlet (com_zimbra_secure).
 
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"
|'''Submitted by''':  Prabhat Kumar
|}


'''Solution:'''  Disable the old zimlet  (com_zimbra_smime) and enable new zimlet (com_zimbra_secure).
{{Article Footer|ZCS 9.0, 8.8, 8.7,|2017-08-23}}

Latest revision as of 09:52, 26 July 2023

S/MIME certificates


   KB 24164        Last updated on 2023-07-26  




0.00
(0 votes)

Overview:

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It is a standards-based method of public/private key encryption. S/MIME is based on asymmetric cryptography it is commonly used for email and MIME data. S/MIME enables email security features by providing encryption, authentication, message integrity and other related services. It ensures that an email message is sent by a legitimate sender and provides encryption for incoming and outgoing messages. To enable S/MIME based communication, the sender and receiver must be integrated with public key and signature issued from a certificate authority (CA).

We're not going to go into great detail on what S/MIME is here, so please feel free to read the Wikipedia article for more background.

https://en.wikipedia.org/wiki/S/MIME

These are the following ways to get a SIME/certificate.

1. Buy a S/MIME certificate from authority like Comodo, SSLshoper , digicert etc.

 https://ssl.comodo.com/email-smime-certificate
 https://www.digicert.com/client-certificates/
 https://www.digicert.com/client-certificates/
 https://www.sslshopper.com/email-certificates-smime-certificates.html

2. There are few companies which provides S/MIME free for a year or 30 days.

 https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls
 https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx

3. Use self-signed S/MIME certificate.

Here are the steps to generate a self-singed SMIME certificate:

  • Generate a key and set password which will be needed later during CSR generation.
 openssl genrsa -des3 -out cert.key 4096
  • Generate the CSR, use your email ID as Common Name while generating CSR and don’t set “A challenge passwordon” CSR and leave it blank, just press enter.
 openssl req -new -key cert.key -out cert.csr 
  • Create the certificate key.
 openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt
  • Convert certificate into .p12. Set “Export Password” which will be used during the upload of S/MIME to Zimbra web client.
 openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

Above command would fail if OpenSSL is FIPS compliant please refer issue. Use below command to generate pkc12 format file with FIPS check disabled:

 openssl pkcs12 -propquery '-fips' -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

Note: In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).

 su - zimbra
 zmprov mcf zimbraSmimeOCSPEnabled FALSE
 zmpro fc all

Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.

1. Be sure, ZCS is installed with Network Edition version of the product and license includes S/MIME users.

 su – zimbra
 zmlicense -p | grep SMIMEAccountsLimit

2. Check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.

Zimbra-smime-01.png

Note: Disable com_zimbra_smime zimlet which is an old zimlet not used anymore.

3. Enable SMIME feature from CLI or GUI. Taking two users in lab to show you SMIME working.

 zmprov ma user@example.com zimbraFeatureSMIMEEnabled TRUE
 zmprov mc <COS NAME> zimbraFeatureSMIMEEnabled TRUE

e.g.

 zmprov ma pk@zimbrasupportlab.com zimbraFeatureSMIMEEnabled TRUE
 zmprov ma pb@zimbrasupportlab.com zimbraFeatureSMIMEEnabled TRUE


4. Upload the S/MIME certificate into ZWC of a user, which was purchased from any SSL provider.

Presences > Secure Email > Browse to certificate

Note: It will ask the password of your SMIME certificate.

Zimbra-smime-02.png Zimbra-smime-03.png Zimbra-smime-04.png


Note: Same steps have to be followed for an another user to upload a S/MIME certificate.

Exchange public key for sending encrypted email.

Both users need to send a singed email to each other to share a public certificate.

1. Sending a signed email from one user to other.

Zimbra-smime-05.png

2. Reply back from other user with a singed email.

Zimbra-smime-06.png

Note: Now both users have exchanged their public key with each other and ready to send an encrypted email.


Sending an encrypted email from one user to other user.

1. Compose an email and select “Sign and Encrypt” before sending.

Zimbra-smime-07.png

2. Other user is able to view the email with singed and encrypted icon.

Zimbra-smime-08.png


Troubleshooting:

  • If the following error appears in the web client while importing a S/MIME into ZWC and below Exception appears in the mailbox.log, that means either Intermediate certificate of S/MIME was not added to java keystore on the mailbox server or S/MIME is revoked not verified by CA authority.

Zimbra-smime-09.png

ExceptionId:qtp1225197672-127788:https://10.137.26.222/service/soap/SaveSmimeCertificateRequest:1601142698929:af56e9d5dddf72ce
Code:smime.CERT_VALIDATION_FAILED
       at com.zimbra.cs.service.smime.SmimeServiceException.CERT_VALIDATION_FAILED(SmimeServiceException.java:87)
       at com.zimbra.cs.smime.SmimeCryptoUtil.validateCertificate(SmimeCryptoUtil.java:347)
       at com.zimbra.cs.service.smime.SaveSmimeCertificate.save(SaveSmimeCertificate.java:121)
       at com.zimbra.cs.service.smime.SaveSmimeCertificate.handle(SaveSmimeCertificate.java:95)
       xecutor.java:366)
       at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
       at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
       at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors


Solution: Either get Intermediate of your S/MIME and add to the java key store or disable OCSP check.

 su - zimbra
 zmcertmgr addcacert /tmp/<Intermediate certificate>      
 zmmailboxdctl restart


To disable an OCPS check:

 su - zimbra
 zmprov mcf zimbraSmimeOCSPEnabled FALSE
 zmprov fc all
  • The following java error appears if an old zimlet (com_zimbra_smime) is enabled which is not supported.

Zimbra-smime-10.png

Solution: Disable the old zimlet (com_zimbra_smime) and enable the new zimlet (com_zimbra_secure).

Submitted by: Prabhat Kumar
Verified Against: ZCS 9.0, 8.8, 8.7, Date Created: 2017-08-23
Article ID: https://wiki.zimbra.com/index.php?title=SMIME_ZWC_Certificates Date Modified: 2023-07-26



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search