Difference between revisions of "CaCert Certificate"
| Line 62: | Line 62: | ||
Don't forget to restart or reload Apache | Don't forget to restart or reload Apache | ||
| + | |||
| + | '''Installing CaCert certificates in Ubunto and Firefox'' <br> | ||
| + | While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:<br> | ||
| + | sudo apt-get install ca-certificates | ||
| + | After this activate it in firefox:<br> | ||
| + | firefox /usr/share/ca-certificates/cacert.org/*.crt | ||
Revision as of 11:05, 1 April 2010
CaCert wildcard certificate setup in your Zimbra mail server
create an CaCert account and domain in https://www.cacert.org
create an wildcard server cert in Zimbra (as root) :
mkdir -p /data/Cerificaten/CaCert cd /data/Cerificaten/CaCert /opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mailserver.breedveld.net cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr
(change the domain in your domain)
create on the CaCert site a server sertificate, with the above generated cert.
put the received key in commercial.crt and place it in the right zimbra dir:
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
retreive the CaCert root certs:
wget https://www.cacert.org/certs/root.crt --no-check-certificate wget https://www.cacert.org/certs/class3.crt --no-check-certificate
Activating the certificates in Zimbra:
cat root.crt class3.crt > ca_chain.crt /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt
Check the certificates:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Restart Zimbra
/etc/init.d/zimbra restart
Configure apache as ssl-proxy for Zimbra with the same certificate
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache:
<VirtualHost *:443>
DocumentRoot "/var/www/html/breedveld.net"
ServerName mailserver.breedveld.net
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
SSLProxyEngine On
SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt
ProxyPass / https://mailserver.breedveld.net:443/
ProxyPassReverse / https://mailserver.breedveld.net:443/
</VirtualHost>
Using the same Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there
Your Apache ssl.conf (or httpd.conf) should contain the following rows:
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/commercial.crt SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt SSLCACertificateFile /etc/pki/tls/certs/class3.crt
Don't forget to restart or reload Apache
'Installing CaCert certificates in Ubunto and Firefox
While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:
sudo apt-get install ca-certificates
After this activate it in firefox:
firefox /usr/share/ca-certificates/cacert.org/*.crt
