Difference between revisions of "ShanxT-SSL-CheatSheet"

Line 16: Line 16:
  
 
== SSL SMTP auth ==
 
== SSL SMTP auth ==
 
 
Convert username/passwords to base64:
 
Convert username/passwords to base64:
 
  echo -n 'testzimbra' | openssl base64   
 
  echo -n 'testzimbra' | openssl base64   
Line 49: Line 48:
  
 
== Create the CA symlink==
 
== Create the CA symlink==
 
 
  ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
 
  ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
  
Line 56: Line 54:
 
  /opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
 
  /opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
 
Password used is - mailboxd_keystore_password
 
Password used is - mailboxd_keystore_password
 +
 +
 +
== Check cert in jetty.pkcs12 ==
 +
openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12
  
  
 
== Generating keystore ==
 
== Generating keystore ==
 
 
'''Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.'''
 
'''Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.'''
  

Revision as of 06:18, 23 September 2014


Check the pem file

openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout


Check CSR

openssl req -text -in commercial.csr 


Check certs being displayed by server

openssl s_client -connect mail.example.com:443 -showcerts

This is useful to check if the certificate being displayed is different from the one on Zimbra.


SSL SMTP auth

Convert username/passwords to base64:

echo -n 'testzimbra' | openssl base64  

Use openssl s_client to connect:

openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof
CONNECTED(00000003)
ehlo example.com
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
--output snipped. We'll see the SSL certificate and other details here--
250 DSN
250-webmail.example.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdHppbWJyYQ==  #This is the base-64 encoded username
334 UGFzc3dvcmQ6
VGVzdEBaaW00NTY=  #This is the base-64 encoded password
235 2.7.0 Authentication successful
mail from: user@example.com
250 2.1.0 Ok
rcpt to: shanx@example.com

Create the CA symlink

ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0


Check cert in keystore

/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore

Password used is - mailboxd_keystore_password


Check cert in jetty.pkcs12

openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12


Generating keystore

Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.

openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12  -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}
Jump to: navigation, search