Difference between revisions of "ShanxT-SSL-CheatSheet"

(Created page with " == Check the pem file == openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout == Check CSR == openssl req -text -in commercial.csr == Check certs being displayed ...")
 
Line 47: Line 47:
 
  250 2.1.0 Ok
 
  250 2.1.0 Ok
 
  '''rcpt to: shanx@example.com'''
 
  '''rcpt to: shanx@example.com'''
 +
 +
== Create the CA symlink==
 +
 +
ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
 +
  
 
== Check cert in keystore ==
 
== Check cert in keystore ==

Revision as of 06:03, 23 September 2014


Check the pem file

openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout


Check CSR

openssl req -text -in commercial.csr 


Check certs being displayed by server

openssl s_client -connect mail.example.com:443 -showcerts

This is useful to check if the certificate being displayed is different from the one on Zimbra.


SSL SMTP auth

Convert username/passwords to base64:

echo -n 'testzimbra' | openssl base64  

Use openssl s_client to connect:

openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof
CONNECTED(00000003)
ehlo example.com
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
--output snipped. We'll see the SSL certificate and other details here--
250 DSN
250-webmail.example.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdHppbWJyYQ==  #This is the base-64 encoded username
334 UGFzc3dvcmQ6
VGVzdEBaaW00NTY=  #This is the base-64 encoded password
235 2.7.0 Authentication successful
mail from: user@example.com
250 2.1.0 Ok
rcpt to: shanx@example.com

Create the CA symlink

ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0


Check cert in keystore

/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore

Password used is - mailboxd_keystore_password


Generating keystore

Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.

openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12  -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}
Jump to: navigation, search