ShanxT-SSL-CheatSheet: Difference between revisions
No edit summary |
|||
Line 46: | Line 46: | ||
250 2.1.0 Ok | 250 2.1.0 Ok | ||
'''rcpt to: shanx@example.com''' | '''rcpt to: shanx@example.com''' | ||
Checking the certs here is particularly useful to check if we are indeed getting the certificates deployed by Zimbra. Some firewalls, like Fortigate and Cyberoam, send their own certs and this has caused multiple problems. | |||
== Create the CA symlink== | == Create the CA symlink== |
Latest revision as of 06:20, 23 September 2014
Check the pem file
openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout
Check CSR
openssl req -text -in commercial.csr
Check certs being displayed by server
openssl s_client -connect mail.example.com:443 -showcerts
This is useful to check if the certificate being displayed is different from the one on Zimbra.
SSL SMTP auth
Convert username/passwords to base64:
echo -n 'testzimbra' | openssl base64
Use openssl s_client to connect:
openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof CONNECTED(00000003) ehlo example.com depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority --output snipped. We'll see the SSL certificate and other details here-- 250 DSN 250-webmail.example.com 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 dGVzdHppbWJyYQ== #This is the base-64 encoded username 334 UGFzc3dvcmQ6 VGVzdEBaaW00NTY= #This is the base-64 encoded password 235 2.7.0 Authentication successful mail from: user@example.com 250 2.1.0 Ok rcpt to: shanx@example.com
Checking the certs here is particularly useful to check if we are indeed getting the certificates deployed by Zimbra. Some firewalls, like Fortigate and Cyberoam, send their own certs and this has caused multiple problems.
Create the CA symlink
ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
Check cert in keystore
/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
Password used is - mailboxd_keystore_password
Check cert in jetty.pkcs12
openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12
Generating keystore
Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12 -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}