ShanxT-SSL-CheatSheet


Check the pem file

openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout


Check CSR

openssl req -text -in commercial.csr 


Check certs being displayed by server

openssl s_client -connect mail.example.com:443 -showcerts

This is useful to check if the certificate being displayed is different from the one on Zimbra.


SSL SMTP auth

Convert username/passwords to base64:

echo -n 'testzimbra' | openssl base64  

Use openssl s_client to connect:

openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof
CONNECTED(00000003)
ehlo example.com
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
--output snipped. We'll see the SSL certificate and other details here--
250 DSN
250-webmail.example.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdHppbWJyYQ==  #This is the base-64 encoded username
334 UGFzc3dvcmQ6
VGVzdEBaaW00NTY=  #This is the base-64 encoded password
235 2.7.0 Authentication successful
mail from: user@example.com
250 2.1.0 Ok
rcpt to: shanx@example.com

Checking the certs here is particularly useful to check if we are indeed getting the certificates deployed by Zimbra. Some firewalls, like Fortigate and Cyberoam, send their own certs and this has caused multiple problems.

Create the CA symlink

ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0


Check cert in keystore

/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore

Password used is - mailboxd_keystore_password


Check cert in jetty.pkcs12

openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12


Generating keystore

Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.

openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12  -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}
Jump to: navigation, search