SMIME ZWC Certificates: Difference between revisions
No edit summary |
No edit summary |
||
Line 62: | Line 62: | ||
2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC. | 2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC. | ||
[[zimbra-smime-01.png]] | [[File:zimbra-smime-01.png]] |
Revision as of 07:32, 3 October 2020
S/MIME certificates
Overview:
S/MIME stands for ‘Secure/Multipurpose Internet Mail Extensions’. It is a standards-based method of public/private key encryption. S/MIME is based on asymmetric cryptography it is commonly used for email and MIME data. S/MIME enables email security features by providing encryption, authentication, message integrity and other related services. It ensures that an email message is sent by a legitimate sender and provides encryption for incoming and outgoing messages. To enable S/MIME based communication, the sender and receiver must be integrated with public key and signatures issued from a certificate authority (CA).
We're not going to go into great detail on what S/MIME is here, so please feel free to read the Wikipedia article for more background.
https://en.wikipedia.org/wiki/S/MIME
These are the following ways to get a SIME/certificate.
1. Buy a S/MIME certificate from authority like Comodo, SSLshoper , digicert etc.
https://ssl.comodo.com/email-smime-certificate https://www.digicert.com/client-certificates/ https://www.digicert.com/client-certificates/ https://www.sslshopper.com/email-certificates-smime-certificates.html
2. There are few companies which provides S/MIME free for a year or 30 days
https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx
3. Use self-signed S/MIME certificate.
Here are the steps to generate a self-singed SMIME certificate:
• Generate a key and set password which will be needed later during CSR generation.
openssl genrsa -des3 -out cert.key 4096
• Generate the CSR, use your email ID as Common Name while generating CSR and don’t set “A challenge passwordon” CSR and leave it blank, just press enter.
openssl req -new -key cert.key -out cert.csr
• Create the certificate key.
openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt
• Convert certificate into .p12. Set “Export Password” which will be used during the upload of S/MIME to Zimbra web client.
openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12
Note:
In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).
su - zimbra zmprov mcf zimbraSmimeOCSPEnabled FALSE zmpro fc all
Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.
1. Be sure, your ZCS is installed with Network Edition version of the product and license includes S/MIME users.
su – zimbra zmlicense -p | grep SMIMEAccountsLimit
2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.