SMIME ZWC Certificates: Difference between revisions

No edit summary
No edit summary
Line 62: Line 62:
2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.
2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.


  [[zimbra-smime-01.png]]
  [[File:zimbra-smime-01.png]]

Revision as of 07:32, 3 October 2020

S/MIME certificates

   KB 24164        Last updated on 2020-10-3  




0.00
(0 votes)


Overview:

S/MIME stands for ‘Secure/Multipurpose Internet Mail Extensions’. It is a standards-based method of public/private key encryption. S/MIME is based on asymmetric cryptography it is commonly used for email and MIME data. S/MIME enables email security features by providing encryption, authentication, message integrity and other related services. It ensures that an email message is sent by a legitimate sender and provides encryption for incoming and outgoing messages. To enable S/MIME based communication, the sender and receiver must be integrated with public key and signatures issued from a certificate authority (CA).

We're not going to go into great detail on what S/MIME is here, so please feel free to read the Wikipedia article for more background.

https://en.wikipedia.org/wiki/S/MIME

These are the following ways to get a SIME/certificate.

1. Buy a S/MIME certificate from authority like Comodo, SSLshoper , digicert etc.

 https://ssl.comodo.com/email-smime-certificate
 https://www.digicert.com/client-certificates/
 https://www.digicert.com/client-certificates/
 https://www.sslshopper.com/email-certificates-smime-certificates.html

2. There are few companies which provides S/MIME free for a year or 30 days

 https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls
 https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx

3. Use self-signed S/MIME certificate.

Here are the steps to generate a self-singed SMIME certificate:

• Generate a key and set password which will be needed later during CSR generation.

 openssl genrsa -des3 -out cert.key 4096

• Generate the CSR, use your email ID as Common Name while generating CSR and don’t set “A challenge passwordon” CSR and leave it blank, just press enter.

 openssl req -new -key cert.key -out cert.csr 

• Create the certificate key.

 openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt

• Convert certificate into .p12. Set “Export Password” which will be used during the upload of S/MIME to Zimbra web client.

 openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

Note:

In case of self-signed S/MIME certificate, OCSP check should be disabled for a S/MIME certificate. (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. The full form is Online Certificate Status Protocol (OCSP).

 su - zimbra
 zmprov mcf zimbraSmimeOCSPEnabled FALSE
 zmpro fc all


Importing certificate into the Zimbra Web Client (ZWC). Using free S/MIME certificate which was opted from ACTALIS for a demo.

1. Be sure, your ZCS is installed with Network Edition version of the product and license includes S/MIME users.

 su – zimbra
 zmlicense -p | grep SMIMEAccountsLimit

2. We need to check the Zimlet (com_zimbra_secureemail), it should be enabled on a user or COS level to use S/MIME with ZWC.

Zimbra-smime-01.png
Jump to: navigation, search