S/MIME certificates

KB 24164	Last updated on 2020-10-03	Last updated by Kumarp	0.00 (0 votes)	Verified in: Template:ZCS 9 ZCS 8.8 ZCS 8.7
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

KB 24164	Last updated on 2020-10-3
0.00 (0 votes)
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Overview:

S/MIME stands for ‘Secure/Multipurpose Internet Mail Extensions’. It is a standards-based method of public/private key encryption. S/MIME is based on asymmetric cryptography it is commonly used for email and MIME data. S/MIME enables email security features by providing encryption, authentication, message integrity and other related services. It ensures that an email message is sent by a legitimate sender and provides encryption for incoming and outgoing messages. To enable S/MIME based communication, the sender and receiver must be integrated with public key and signatures issued from a certificate authority (CA).

We're not going to go into great detail on what S/MIME is here, so please feel free to read the Wikipedia article for more background.

https://en.wikipedia.org/wiki/S/MIME

These are the following ways to get a SIME/certificate.

1. Buy a S/MIME certificate from authority like Comodo, SSLshoper , digicert etc.

  	https://ssl.comodo.com/email-smime-certificate
       https://www.digicert.com/client-certificates/
       https://www.digicert.com/client-certificates/
       https://www.sslshopper.com/email-certificates-smime-certificates.html

2. There are few companies which provides S/MIME free for a year or 30 days .

      https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls
      https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx

3. Use self-signed S/MIME certificate.

Here are the steps to generate a self-singed SMIME certificate:

• Generate a key and set password which will be needed later during CSR generation.

         openssl genrsa -des3 -out cert.key 4096

• Generate the CSR, use your email ID as Common Name while generating CSR and don’t set “A challenge passwordon” CSR and leave it blank, just press enter.

        openssl req -new -key cert.key -out cert.csr 

• Create the certificate key.

       openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt

• Convert certificate into .p12. Set “Export Password” which will be used during the upload of S/MIME to Zimbra web client.

       openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

=Note:= In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).

       su - zimbra
       zmprov mcf zimbraSmimeOCSPEnabled FALSE
       zmpro fc all

Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.

1. Be sure, your ZCS is installed with Network Edition version of the product and license includes S/MIME users.

        su – zimbra
        zmlicense -p | grep SMIMEAccountsLimit

2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.