ShanxT-SSL-CheatSheet
Check the pem file
openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout
Check CSR
openssl req -text -in commercial.csr
Check certs being displayed by server
openssl s_client -connect mail.example.com:443 -showcerts
This is useful to check if the certificate being displayed is different from the one on Zimbra.
SSL SMTP auth
Convert username/passwords to base64:
echo -n 'testzimbra' | openssl base64
Use openssl s_client to connect:
openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof CONNECTED(00000003) ehlo example.com depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority --output snipped. We'll see the SSL certificate and other details here-- 250 DSN 250-webmail.example.com 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 dGVzdHppbWJyYQ== #This is the base-64 encoded username 334 UGFzc3dvcmQ6 VGVzdEBaaW00NTY= #This is the base-64 encoded password 235 2.7.0 Authentication successful mail from: user@example.com 250 2.1.0 Ok rcpt to: shanx@example.com
Check cert in keystore
/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
Password used is - mailboxd_keystore_password
Generating keystore
Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12 -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}