CaCert wildcard certificate setup in your Zimbra mail server
create an CaCert account and domain in https://www.cacert.org
create a server certificate for a wild-card domain in Zimbra (as root) :
mkdir -p /data/Cerificaten/CaCert cd /data/Cerificaten/CaCert /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mail.breedveld.net cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr
(change the domain in your domain)
On the CaCert site, if you didn't do that already, register yourself and your domain.
For renew certificates, from here
create or renew on the CaCert site a new server certificate, with the above generated cert.
cut-and-paste the received certificate from the CaCert site in commercial.crt and place it in the right zimbra dir:
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
retreive the CaCert root certs:
wget https://www.cacert.org/certs/root.crt --no-check-certificate wget https://www.cacert.org/certs/class3.crt --no-check-certificate
Activating the certificates in Zimbra:
cat root.crt class3.crt > ca_chain.crt /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt
Check the certificates:
Configure apache as ssl-proxy for Zimbra with the same certificate
place the commercial.crt (see above) in:
change your virtual-host settings in apache:
<VirtualHost *:443> DocumentRoot "/var/www/html/breedveld.net" ServerName mailserver.breedveld.net ProxyRequests Off <Proxy *> Order allow,deny Allow from all </Proxy> SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt ProxyPass / https://mailserver.breedveld.net:443/ ProxyPassReverse / https://mailserver.breedveld.net:443/ </VirtualHost>
Using the same Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there
Your Apache ssl.conf (or httpd.conf) should contain the following rows:
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/commercial.crt SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt SSLCACertificateFile /etc/pki/tls/certs/class3.crt
Don't forget to restart or reload Apache
Installing CaCert certificates in Ubuntu and Firefox
While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:
sudo apt-get install ca-certificates
After this activate it in firefox:
Installing CaCert certificates in Google Chromium browser
Google Chrome uses Mozilla's NSS for the certificates, you need the certutil tool to manage it:
sudo apt-get install libnss3-tools sudo apt-get install curl
import the root certs for Chrome:
curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt" curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt" certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
Import CaCert root CA in single user Internet Explorer
Open this link in your browser http://www.cacert.org/index.php?id=17 click yes (3 screens) to add this certificate. during this action, check the bar above in your browser, it is possible that you should allow active-x access for this site once.
Import into Microsoft Windows for multiple users
If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store. This procedure works only for Microsoft programs (e.g. Internet Explorer and Outlook), so you will also need to import the certificate into non-Microsoft browsers and e-mail programs.
Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3 Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter) Log in as an Administrator Click the windows Start button and choose Run Type MMC, then hit Enter From the new window open the File menu and choose Add/Remove Snap-in... Click the Add Button choose the certificates item from the listbox and click the Add Button choose the Computer Account radio button and click the Next Button choose the Local Computer radio button and click the Finish Button click the Close Button click the Ok Button expand the tree to view Trusted Root Certification Authorities node right click on the Trusted Root Certification Authorities find the All Tasks menu item then choose Import off that menu and click Next type in, or browse to the class 1 Root certificate you previously downloaded and click Next verify that the radio box labeled Place all certificates in the following store is checked and that text box says Trusted Root Certification Authorities click Next and then Finish. You should get a message saying the import was successful. right click on the Intermediate Certification Authorities find the All Tasks menu item then choose Import off that menu and click Next type in, or browse to the class 3 Intermediate certificate you previously downloaded and click Next verify that the radio box labeled Place all certificates in the following store is checked and that text box says Intermediate Certification Authorities click Next and then Finish. You should get a message saying the import was successful.