https://wiki.zimbra.com/api.php?action=feedcontributions&user=Scott+Nelson+Windels&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T19:22:35ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=19519Postfix PCI Compliance in ZCS2010-04-19T22:10:33Z<p>Scott Nelson Windels: </p>
<hr />
<div>{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_ciphers=medium<br />
postconf -e smtpd_tls_protocols=\!SSLv2<br />
postconf -e smtpd_tls_mandatory_ciphers=high<br />
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_ciphers=medium<br />
zmlocalconfig -e smtpd_tls_protocols=\!SSLv2<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high<br />
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
Reference - http://www.postfix.org/TLS_README.html<br />
<br />
5. Use 'zmmtactl restart' to restart postfix.<br />
<br />
<br />
This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.4. Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.<br />
<br />
{{Article Footer|unknown|11/30/2009}}<br />
<br />
[[Category: SSL/TLS]]<br />
[[Category: ZCS 5.0]]<br />
[[Category: ZCS 6.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=19518Postfix PCI Compliance in ZCS2010-04-19T22:08:11Z<p>Scott Nelson Windels: </p>
<hr />
<div>{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_ciphers=medium<br />
postconf -e smtpd_tls_protocols=\!SSLv2<br />
postconf -e smtpd_tls_mandatory_ciphers=high<br />
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_ciphers=medium<br />
zmlocalconfig -e smtpd_tls_protocols=\!SSLv2<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high<br />
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
Reference - http://www.postfix.org/TLS_README.html<br />
<br />
5. Use 'zmmtactl restart' to restart postfix.<br />
<br />
<br />
{{Article Footer|unknown|11/30/2009}}<br />
<br />
[[Category: SSL/TLS]]<br />
[[Category: ZCS 5.0]]<br />
[[Category: ZCS 6.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=PCI_Compliance_in_Zimbra_5.0.x&diff=19517PCI Compliance in Zimbra 5.0.x2010-04-19T22:04:18Z<p>Scott Nelson Windels: moved PCI Compliance in Zimbra 5.0.x to Postfix PCI Compliance in ZCS:&#32;This can apply to both ZCS 5.0.x and 6.0.x.</p>
<hr />
<div>#REDIRECT [[Postfix PCI Compliance in ZCS]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=19516Postfix PCI Compliance in ZCS2010-04-19T22:04:18Z<p>Scott Nelson Windels: moved PCI Compliance in Zimbra 5.0.x to Postfix PCI Compliance in ZCS:&#32;This can apply to both ZCS 5.0.x and 6.0.x.</p>
<hr />
<div>{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_ciphers=medium<br />
postconf -e smtpd_tls_protocols=\!SSLv2<br />
postconf -e smtpd_tls_mandatory_ciphers=high<br />
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_ciphers=medium<br />
zmlocalconfig -e smtpd_tls_protocols=\!SSLv2<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high<br />
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
Reference - http://www.postfix.org/TLS_README.html<br />
<br />
5. Use 'zmmtactl restart' to restart postfix.<br />
<br />
<br />
{{Article Footer|unknown|11/30/2009}}<br />
<br />
[[Category: SSL/TLS]]<br />
[[Category: ZCS 5.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=19414Postfix PCI Compliance in ZCS2010-04-16T00:07:27Z<p>Scott Nelson Windels: </p>
<hr />
<div>{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_ciphers=medium<br />
postconf -e smtpd_tls_protocols=\!SSLv2<br />
postconf -e smtpd_tls_mandatory_ciphers=high<br />
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_ciphers=medium<br />
zmlocalconfig -e smtpd_tls_protocols=\!SSLv2<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high<br />
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
Reference - http://www.postfix.org/TLS_README.html<br />
<br />
5. Use 'zmmtactl restart' to restart postfix.<br />
<br />
<br />
{{Article Footer|unknown|11/30/2009}}<br />
<br />
[[Category: SSL/TLS]]<br />
[[Category: ZCS 5.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=15621Postfix PCI Compliance in ZCS2009-12-01T19:43:01Z<p>Scott Nelson Windels: </p>
<hr />
<div>===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_mandatory_protocols="SSLv3, TLSv1"<br />
postconf -e smtpd_tls_mandatory_ciphers="high"<br />
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_mandatory_protocols="SSLv3, TLSv1"<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers="high"<br />
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"<br />
<br />
Reference - http://www.postfix.org/TLS_README.html<br />
<br />
<br />
<br />
{{Article Footer|unknown|11/30/2009}}<br />
<br />
[[Category: SSL/TLS]]<br />
[[Category: ZCS 5.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS&diff=15610Postfix PCI Compliance in ZCS2009-12-01T00:01:40Z<p>Scott Nelson Windels: adding first entry for postfix</p>
<hr />
<div><br />
=Working towards PCI Compliance for Zimbra 5.0.x=<br />
<br />
===Reconfigure the Postfix SSL/TLS settings===<br />
<br />
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.<br />
<br />
2. Log in as root in the command line utility. Switch to the zimbra user account.<br />
<br />
su - zimbra<br />
<br />
3. Type the following commands:<br />
<br />
postconf -e smtpd_tls_mandatory_protocols="SSLv3, TLSv1"<br />
postconf -e smtpd_tls_mandatory_ciphers="medium, high"<br />
<br />
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.<br />
<br />
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.<br />
<br />
zmlocalconfig -e smtpd_tls_mandatory_protocols="SSLv3, TLSv1"<br />
zmlocalconfig -e smtpd_tls_mandatory_ciphers="medium, high"</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Technical_Help&diff=15609Technical Help2009-12-01T00:01:22Z<p>Scott Nelson Windels: </p>
<hr />
<div>Technical Help articles<br />
<br />
*[[Server Start|Servers not starting]]<br />
<br />
*[[Mail Routing Issues]]<br />
<br />
*[[Resetting LDAP & MySQL Passwords]]<br />
<br />
*[[Admin Password Reset]]<br />
<br />
*[[Moble Device Setup]]<br />
<br />
*[[Mail Queue Monitoring]]<br />
<br />
*[[Mail getting stuck in Queues]]<br />
<br />
*[[Tuning Postfix Queue Settings]]<br />
<br />
*[[Zimbra Web Client Keyboard Shortcuts]]<br />
<br />
*[[BlackBerry_Cradle_Sync_Instructions]]<br />
<br />
*[[Send_Receive_fax_ZCS_Hylafax]]<br />
<br />
*[[Identifying An Unresponsive Mail Delivery Service|Unresponsive Mail Delivery Service]]<br />
<br />
*[[User Migration Troubleshooting]]<br />
<br />
*[[Creating a Core Dump from a Running Process using WinDbg]]<br />
<br />
*[[Open Source Mobile Calendar and Contact Synchronization]]<br />
<br />
*[[Server Monitoring]]<br />
*[[Troubleshooting SalesForce Zimlet]]<br />
<br />
*[[How to move mail from one user's folder to another, or to send it for external delivery]]<br />
<br />
*[[Free Busy Interop for Exchange]]<br />
<br />
*[[Desktop Sync Failures caused by message size mismatch]]<br />
<br />
*[[PCI Compliance in Zimbra 5.0.x]]<br />
<br />
[[Category:Troubleshooting]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Installing_a_GeoTrust_Commercial_Certificate&diff=15587Installing a GeoTrust Commercial Certificate2009-11-30T19:09:42Z<p>Scott Nelson Windels: Added brief howto for upgrading a geotrust cert</p>
<hr />
<div>__FORCETOC__<br />
<br />
=Installing a GeoTrust Commercial Certificate on ZCS 5.0.x=<br />
<br />
<br />
*As Root:<br />
<br />
'''1). move all the files in /opt/zimbra/ssl/zimbra/commercial'''<br />
<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.tar.gz *<br />
rm -rf *<br />
<br />
'''2. generate a new csr , please edit this line for your company details'''<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"<br />
<br />
'''3.) get it signed'''<br />
<br />
Place SSL order and paste in the contents of commercial.csr<br />
Put the certificate into commercial.crt using cat or vi<br />
<br />
'''4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )'''<br />
<br />
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer<br />
mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt<br />
<br />
<br />
'''5. verify that the cert and key match'''<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt<br />
<br />
should return<br />
<br />
** Verifying commercial.crt against commercial.key<br />
Certificate (commercial.crt) and private key (commercial.key) match.<br />
Valid Certificate: commercial.crt: OK<br />
<br />
'''6. deploy the cert'''<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt<br />
<br />
QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?<br />
<br />
'''7. restart the webserver<br />
<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
'''8. restart the proxy (for IMAP/POP)<br />
<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window.<br />
<br />
<br />
<br />
==Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x==<br />
<br />
*Commands are run as root or sudo user:<br />
<br />
'''1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial'''<br />
<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.backup.tar.gz *<br />
<br />
'''2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below'''<br />
<br />
mkdir /tmp/renewalcert<br />
cd /tmp/renewalcert<br />
cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert<br />
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer<br />
mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt<br />
vi /tmp/renewalcrt/tmp.crt [paste your new cert here]<br />
openssl x509 -in tmp.crt -out new.crt -text<br />
cat new.crt commercial_ca.crt > commercial.crt<br />
<br />
'''3. Verify that cert, key and CA file match'''<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt<br />
<br />
should return<br />
<br />
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key<br />
Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match.<br />
Valid Certificate: /tmp/renewalcert/commercial.crt: OK<br />
<br />
<br />
'''4. Deploy the renewal cert'''<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt<br />
<br />
should return<br />
<br />
** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/renewalcert/commercial.crt: OK<br />
** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Saving server config key zimbraSSLCertificate...done.<br />
** Saving server config key zimbraSSLPrivateKey...done.<br />
** Installing mta certificate and key...done.<br />
** Installing slapd certificate and key...done.<br />
** Installing proxy certificate and key...done.<br />
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.<br />
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.<br />
** Installing CA to /opt/zimbra/conf/ca...done.<br />
<br />
<br />
'''5. Restart zimbra<br />
<br />
su - zimbra<br />
zmcontrol stop; zmcontrol start;<br />
<br />
<br />
<br />
<br />
<br />
=Installing a GeoTrust Commercial Certificate on ZCS 4.5.x=<br />
<br />
These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.<br />
<br />
'''1. ***Backup Your Keystore***'''<br />
sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak<br />
'''2. su zimbra'''<br />
<br />
'''3. Create a new file or a copy of bin/zmcreatecert to make this script''' (personalize the bits between *** to match your settings)<br />
<pre><nowiki><br />
#!/bin/bash<br />
source /opt/zimbra/bin/zmshutil || exit 1<br />
zmsetvars<br />
<br />
CONF=/opt/zimbra/conf<br />
TCONF=/opt/zimbra/tomcat/conf<br />
B=/opt/zimbra/ssl<br />
BASE=${B}/ssl<br />
<br />
JAVA_HOME=${zimbra_java_home}<br />
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then<br />
CACERTS=${JAVA_HOME}/lib/security/cacerts<br />
else<br />
CACERTS=${JAVA_HOME}/jre/lib/security/cacerts<br />
fi<br />
<br />
<br />
TOMCAT=/opt/zimbra/tomcat/conf<br />
<br />
rm -rf ${BASE}/newCA<br />
mkdir -p ${BASE}/ca<br />
mkdir -p ${BASE}/newCA/newcerts<br />
touch ${BASE}/newCA/index.txt<br />
mkdir -p ${BASE}/cert<br />
mkdir -p ${BASE}/server<br />
<br />
mkdir -p ${TCONF}<br />
<br />
hostname=***Set this to your full domain name mail.domain.com***<br />
<br />
if [ "x$1" != "x" ]; then<br />
hostname=$1<br />
shift;<br />
fi<br />
<br />
createConf() {<br />
ALTNAMES=""<br />
for alt in $*; do<br />
if [ "x$ALTNAMES" = "x" ]; then<br />
ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"<br />
else<br />
ALTNAMES="${ALTNAMES},DNS:${alt}"<br />
fi<br />
done<br />
cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \<br />
-e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf<br />
}<br />
<br />
<br />
createKeyStore() {<br />
<br />
echo "** Creating keystore"<br />
echo<br />
<br />
rm -f ${TCONF}/keystore<br />
<br />
keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \<br />
-alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \<br />
-storetype JKS -storepass zimbra -keypass zimbra<br />
<br />
}<br />
<br />
createCertReq() {<br />
<br />
echo "** Creating server cert request"<br />
echo<br />
<br />
openssl req -new -nodes -out ${BASE}/server/server.csr \<br />
-keyout ${BASE}/server/server.key -newkey rsa:1024 \<br />
-config ${BASE}/zmssl.cnf -batch<br />
<br />
keytool -certreq -keyalg RSA -alias tomcat -file \<br />
${BASE}/server/tomcat.csr -keystore \<br />
${TCONF}/keystore -storepass zimbra<br />
<br />
cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$<br />
cat /tmp/tomcat.csr.$$ | sed -e \<br />
's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \<br />
> ${BASE}/server/tomcat.csr<br />
<br />
}<br />
<br />
signCertReq() { <br />
echo "** Signing cert request"<br />
echo<br />
<br />
openssl ca -out ${BASE}/server/server.crt -notext \<br />
-config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \<br />
-keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch<br />
<br />
cp ${BASE}/server/server.crt ${CONF}/slapd.crt<br />
cp ${BASE}/server/server.key ${CONF}/slapd.key<br />
cp ${BASE}/server/server.crt ${CONF}/perdition.pem<br />
cp ${BASE}/server/server.key ${CONF}/perdition.key<br />
mkdir -p ${CONF}/ca<br />
cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key<br />
cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem<br />
}<br />
<br />
createConf $@<br />
<br />
createKeyStore<br />
<br />
createCertReq<br />
<br />
signCertReq<br />
<br />
chmod -R 700 ${B}<br />
</nowiki></pre><br />
'''4. Run this newly created script'''<br />
<br />
Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.<br />
<br />
'''5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem'''<br />
<br />
'''6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt'''<br />
<br />
This will convert the certificate into binary DER format which keytool likes.<br />
<br />
You will also need to download the root ca from Geotrust this can be found at<br />
www.geotrust.com/resources/root_certificates/index.asp<br />
- for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format<br />
- for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format<br />
'''7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt'''<br />
<br />
'''8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit''' (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)<br />
<br />
'''9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit'''<br />
<br />
'''10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra'''<br />
<br />
'''11. Run the command as zimbra /opt/zibmra/bin/tomcat restart''' (or restart zimbra with zmcontrol stop && zmcontrol start)<br />
<br />
'''12. If all went as planned you should now be able to access https://your.mailsite.com'''<br />
<br />
'''13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.'''<br />
<br />
'''14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.'''<br />
- su zimbra<br />
- /opt/zimbra/bin/zmcreateca<br />
- /opt/zimbra/bin/zmcreatecert<br />
- /opt/zimbra/bin/zmcertinstall<br />
'''15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following''' (when prompted for a password use '''changeit''')<br />
/opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
<br />
*Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.<br />
<br />
<br />
{{Article Footer|ZCS 4.5.x & ZCS 5.0.x|9/19/2008}}<br />
<br />
[[Category:Certificates]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=Installing_a_GeoTrust_Commercial_Certificate&diff=15586Installing a GeoTrust Commercial Certificate2009-11-30T18:44:30Z<p>Scott Nelson Windels: Moved 5.0.x instructions to top of page.</p>
<hr />
<div>__FORCETOC__<br />
<br />
=Installing a GeoTrust Commercial Certificate on ZCS 5.0.x=<br />
<br />
<br />
*As Root:<br />
<br />
'''1). move all the files in /opt/zimbra/ssl/zimbra/commercial'''<br />
<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.tar.gz *<br />
rm -rf *<br />
<br />
'''2. generate a new csr , please edit this line for your company details'''<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"<br />
<br />
'''3.) get it signed'''<br />
<br />
Place SSL order and paste in the contents of commercial.csr<br />
Put the certificate into commercial.crt using cat or vi<br />
<br />
'''4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )'''<br />
<br />
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer<br />
mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt<br />
<br />
<br />
'''5. verify that the cert and key match'''<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt<br />
<br />
should return<br />
<br />
** Verifying commercial.crt against commercial.key<br />
Certificate (commercial.crt) and private key (commercial.key) match.<br />
Valid Certificate: commercial.crt: OK<br />
<br />
'''6. deploy the cert'''<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt<br />
<br />
QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?<br />
<br />
'''7. restart the webserver<br />
<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
'''8. restart the proxy (for IMAP/POP)<br />
<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window.<br />
<br />
<br />
=Installing a GeoTrust Commercial Certificate on ZCS 4.5.x=<br />
<br />
These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.<br />
<br />
'''1. ***Backup Your Keystore***'''<br />
sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak<br />
'''2. su zimbra'''<br />
<br />
'''3. Create a new file or a copy of bin/zmcreatecert to make this script''' (personalize the bits between *** to match your settings)<br />
<pre><nowiki><br />
#!/bin/bash<br />
source /opt/zimbra/bin/zmshutil || exit 1<br />
zmsetvars<br />
<br />
CONF=/opt/zimbra/conf<br />
TCONF=/opt/zimbra/tomcat/conf<br />
B=/opt/zimbra/ssl<br />
BASE=${B}/ssl<br />
<br />
JAVA_HOME=${zimbra_java_home}<br />
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then<br />
CACERTS=${JAVA_HOME}/lib/security/cacerts<br />
else<br />
CACERTS=${JAVA_HOME}/jre/lib/security/cacerts<br />
fi<br />
<br />
<br />
TOMCAT=/opt/zimbra/tomcat/conf<br />
<br />
rm -rf ${BASE}/newCA<br />
mkdir -p ${BASE}/ca<br />
mkdir -p ${BASE}/newCA/newcerts<br />
touch ${BASE}/newCA/index.txt<br />
mkdir -p ${BASE}/cert<br />
mkdir -p ${BASE}/server<br />
<br />
mkdir -p ${TCONF}<br />
<br />
hostname=***Set this to your full domain name mail.domain.com***<br />
<br />
if [ "x$1" != "x" ]; then<br />
hostname=$1<br />
shift;<br />
fi<br />
<br />
createConf() {<br />
ALTNAMES=""<br />
for alt in $*; do<br />
if [ "x$ALTNAMES" = "x" ]; then<br />
ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"<br />
else<br />
ALTNAMES="${ALTNAMES},DNS:${alt}"<br />
fi<br />
done<br />
cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \<br />
-e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf<br />
}<br />
<br />
<br />
createKeyStore() {<br />
<br />
echo "** Creating keystore"<br />
echo<br />
<br />
rm -f ${TCONF}/keystore<br />
<br />
keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \<br />
-alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \<br />
-storetype JKS -storepass zimbra -keypass zimbra<br />
<br />
}<br />
<br />
createCertReq() {<br />
<br />
echo "** Creating server cert request"<br />
echo<br />
<br />
openssl req -new -nodes -out ${BASE}/server/server.csr \<br />
-keyout ${BASE}/server/server.key -newkey rsa:1024 \<br />
-config ${BASE}/zmssl.cnf -batch<br />
<br />
keytool -certreq -keyalg RSA -alias tomcat -file \<br />
${BASE}/server/tomcat.csr -keystore \<br />
${TCONF}/keystore -storepass zimbra<br />
<br />
cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$<br />
cat /tmp/tomcat.csr.$$ | sed -e \<br />
's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \<br />
> ${BASE}/server/tomcat.csr<br />
<br />
}<br />
<br />
signCertReq() { <br />
echo "** Signing cert request"<br />
echo<br />
<br />
openssl ca -out ${BASE}/server/server.crt -notext \<br />
-config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \<br />
-keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch<br />
<br />
cp ${BASE}/server/server.crt ${CONF}/slapd.crt<br />
cp ${BASE}/server/server.key ${CONF}/slapd.key<br />
cp ${BASE}/server/server.crt ${CONF}/perdition.pem<br />
cp ${BASE}/server/server.key ${CONF}/perdition.key<br />
mkdir -p ${CONF}/ca<br />
cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key<br />
cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem<br />
}<br />
<br />
createConf $@<br />
<br />
createKeyStore<br />
<br />
createCertReq<br />
<br />
signCertReq<br />
<br />
chmod -R 700 ${B}<br />
</nowiki></pre><br />
'''4. Run this newly created script'''<br />
<br />
Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.<br />
<br />
'''5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem'''<br />
<br />
'''6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt'''<br />
<br />
This will convert the certificate into binary DER format which keytool likes.<br />
<br />
You will also need to download the root ca from Geotrust this can be found at<br />
www.geotrust.com/resources/root_certificates/index.asp<br />
- for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format<br />
- for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format<br />
'''7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt'''<br />
<br />
'''8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit''' (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)<br />
<br />
'''9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit'''<br />
<br />
'''10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra'''<br />
<br />
'''11. Run the command as zimbra /opt/zibmra/bin/tomcat restart''' (or restart zimbra with zmcontrol stop && zmcontrol start)<br />
<br />
'''12. If all went as planned you should now be able to access https://your.mailsite.com'''<br />
<br />
'''13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.'''<br />
<br />
'''14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.'''<br />
- su zimbra<br />
- /opt/zimbra/bin/zmcreateca<br />
- /opt/zimbra/bin/zmcreatecert<br />
- /opt/zimbra/bin/zmcertinstall<br />
'''15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following''' (when prompted for a password use '''changeit''')<br />
/opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
<br />
*Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.<br />
<br />
<br />
{{Article Footer|ZCS 4.5.x & ZCS 5.0.x|9/19/2008}}<br />
<br />
[[Category:Certificates]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide&diff=155855.x Commercial Certificates Guide2009-11-30T18:42:58Z<p>Scott Nelson Windels: </p>
<hr />
<div>==Administration and CLI Tools==<br />
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see [[Administration Console and CLI Certificate Tools]].<br />
<br />
==Third Party Certificate Articles==<br />
The following third party certificates have their own Wiki articles with installation instructions.<br />
<br />
===Comodo SSL===<br />
See [[Installing a Comodo SSL Certificate with zmcertmgr]].<br />
<br />
===GeoTrust Certificate===<br />
See [[Installing_a_GeoTrust_Commercial_Certificate]]<br />
<br />
===GlobalSign Certificate===<br />
See [[Installing a GlobalSign Commercial Certificate]]<br />
<br />
===GoDaddy Certificate===<br />
See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]].<br />
<br />
===IPSCA Certificate===<br />
See [[Installing_a_IPSCA_Commercial_Certificate]]<br />
<br />
===Network Solutions Certificate===<br />
See [[Installing a Network Solutions Certificate on ZCS 5.0.x]].<br />
<br />
===RapidSSL Certificate===<br />
See [[Installing_a_RapidSSL_Commercial_Certificate]]<br />
<br />
===Thawte SSL Certificate (SSL123 format)===<br />
See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]].<br />
<br />
===Verisign===<br />
See [[Installing a Verisign Test Certificate on Zimbra Server]].<br />
<br />
See [[Installing a Verisign Secure Site Certificate]].<br />
<br />
<br />
<br />
==Troubleshooting==<br />
If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category.<br />
<br />
=Misc=<br />
*Inspect your CSR<br />
openssl req -in <server.csr> -noout -text<br />
<br />
*Inspect your certificate<br />
openssl x509 -in <server.crt> -noout -text<br />
<br />
*Clear the passphrase of the private key<br />
openssl rsa -in <server.key> -out <server.key.decr><br />
<br />
*Get Jetty keystore password<br />
zmlocalconfig -s -m nokey mailboxd_keystore_password<br />
<br />
*Create a CSR via the CLI<br />
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]<br />
<br />
*View deployed certificate via the command line<br />
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
* Convert the cert format from DER to PEM<br />
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}}<br />
<br />
[[Category: Certificates]]<br />
[[Category: ZCS 5.0]]</div>Scott Nelson Windelshttps://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide&diff=155845.x Commercial Certificates Guide2009-11-30T18:42:06Z<p>Scott Nelson Windels: </p>
<hr />
<div>==Administration and CLI Tools==<br />
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see [[Administration Console and CLI Certificate Tools]].<br />
<br />
==Third Party Certificate Articles==<br />
The following third party certificates have their own Wiki articles with installation instructions.<br />
<br />
===Comodo SSL===<br />
See [[Installing a Comodo SSL Certificate with zmcertmgr]].<br />
<br />
===GeoTrust Certificate===<br />
See [[Installing_a_GeoTrust_Commercial_Certificate]]<br />
<br />
===GlobalSign Certificate===<br />
See [[Installing a GlobalSign Commercial Certificate]]<br />
<br />
===GoDaddy Certificate===<br />
See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]].<br />
<br />
===Network Solutions Certificate===<br />
See [[Installing a Network Solutions Certificate on ZCS 5.0.x]].<br />
<br />
===Thawte SSL Certificate (SSL123 format)===<br />
See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]].<br />
<br />
===Verisign===<br />
See [[Installing a Verisign Test Certificate on Zimbra Server]].<br />
<br />
See [[Installing a Verisign Secure Site Certificate]].<br />
<br />
===IPSCA Certificate===<br />
See [[Installing_a_IPSCA_Commercial_Certificate]]<br />
<br />
===RapidSSL Certificate===<br />
See [[Installing_a_RapidSSL_Commercial_Certificate]]<br />
<br />
==Troubleshooting==<br />
If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category.<br />
<br />
=Misc=<br />
*Inspect your CSR<br />
openssl req -in <server.csr> -noout -text<br />
<br />
*Inspect your certificate<br />
openssl x509 -in <server.crt> -noout -text<br />
<br />
*Clear the passphrase of the private key<br />
openssl rsa -in <server.key> -out <server.key.decr><br />
<br />
*Get Jetty keystore password<br />
zmlocalconfig -s -m nokey mailboxd_keystore_password<br />
<br />
*Create a CSR via the CLI<br />
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]<br />
<br />
*View deployed certificate via the command line<br />
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
* Convert the cert format from DER to PEM<br />
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}}<br />
<br />
[[Category: Certificates]]<br />
[[Category: ZCS 5.0]]</div>Scott Nelson Windels