Difference between revisions of "CaCert Certificate"
(No difference)
|
Revision as of 12:38, 5 February 2010
CaCert wildcard certificate setup in Zimbra
create an CaCert account and domain in https://www.cacert.org
create an wildcard server cert in Zimbra (as root) :
mkdir -p /data/Cerificaten/CaCert cd /data/Cerificaten/CaCert /opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mailserver.breedveld.net cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr
(change the domain in your domain)
create on the CaCert site a server sertificate, with the above generated cert.
put the received key in commercial.crt and place it in the right zimbra dir:
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
retreive the CaCert root certs:
wget https://www.cacert.org/certs/root.crt --no-check-certificate wget https://www.cacert.org/certs/class3.crt --no-check-certificate
Activating the certificates in Zimbra:
cat root.crt class3.crt > ca_chain.crt /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt
Check the certificates:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Restart Zimbra
/etc/init.d/zimbra restart
Configure apache as ssl-proxy for Zimbra
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache:
<VirtualHost *:443> DocumentRoot "/var/www/html/breedveld.net" ServerName mailserver.breedveld.net ProxyRequests Off <Proxy *> Order allow,deny Allow from all </Proxy> SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt ProxyPass / https://mailserver.breedveld.net:443/ ProxyPassReverse / https://mailserver.breedveld.net:443/ </VirtualHost>
Using the Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there
Your Apache ssl.conf (or httpd.conf) should contain the following rows:
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/commercial.crt SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt SSLCACertificateFile /etc/pki/tls/certs/class3.crt
Don't forget to restart or reload Apache