Difference between revisions of "CaCert Certificate"
| Line 68: | Line 68: | ||
After this activate it in firefox:<br> | After this activate it in firefox:<br> | ||
firefox /usr/share/ca-certificates/cacert.org/*.crt | firefox /usr/share/ca-certificates/cacert.org/*.crt | ||
| + | |||
| + | '''Installing CaCert certificates in Google Chromium browser''' <br> | ||
| + | sudo apt-get install libnss3-tools | ||
| + | sudo apt-get install curl | ||
| + | curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt" | ||
| + | curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt" | ||
| + | certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt | ||
| + | certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt | ||
Revision as of 07:59, 19 April 2010
CaCert wildcard certificate setup in your Zimbra mail server
create an CaCert account and domain in https://www.cacert.org
create an wildcard server cert in Zimbra (as root) :
mkdir -p /data/Cerificaten/CaCert cd /data/Cerificaten/CaCert /opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mailserver.breedveld.net cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr
(change the domain in your domain)
create on the CaCert site a server sertificate, with the above generated cert.
put the received key in commercial.crt and place it in the right zimbra dir:
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
retreive the CaCert root certs:
wget https://www.cacert.org/certs/root.crt --no-check-certificate wget https://www.cacert.org/certs/class3.crt --no-check-certificate
Activating the certificates in Zimbra:
cat root.crt class3.crt > ca_chain.crt /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt
Check the certificates:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Restart Zimbra
/etc/init.d/zimbra restart
Configure apache as ssl-proxy for Zimbra with the same certificate
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache:
<VirtualHost *:443>
DocumentRoot "/var/www/html/breedveld.net"
ServerName mailserver.breedveld.net
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
SSLProxyEngine On
SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt
ProxyPass / https://mailserver.breedveld.net:443/
ProxyPassReverse / https://mailserver.breedveld.net:443/
</VirtualHost>
Using the same Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there
Your Apache ssl.conf (or httpd.conf) should contain the following rows:
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/commercial.crt SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt SSLCACertificateFile /etc/pki/tls/certs/class3.crt
Don't forget to restart or reload Apache
Installing CaCert certificates in Ubuntu and Firefox
While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:
sudo apt-get install ca-certificates
After this activate it in firefox:
firefox /usr/share/ca-certificates/cacert.org/*.crt
Installing CaCert certificates in Google Chromium browser
sudo apt-get install libnss3-tools sudo apt-get install curl curl -k -o "cacert-root.crt" "http://www.cacert.org/certs/root.crt" curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt" certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt
