CaCert Certificate

From wiki.breedveld.net
Revision as of 12:38, 5 February 2010 by Roland (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

CaCert wildcard certificate setup in Zimbra

create an CaCert account and domain in https://www.cacert.org

create an wildcard server cert in Zimbra (as root) : 

mkdir -p /data/Cerificaten/CaCert
cd /data/Cerificaten/CaCert
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mailserver.breedveld.net
cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr

(change the domain in your domain)

create on the CaCert site a server sertificate, with the above generated cert.
put the received key in commercial.crt and place it in the right zimbra dir: 

cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt

retreive the CaCert root certs: 

wget https://www.cacert.org/certs/root.crt  --no-check-certificate
wget https://www.cacert.org/certs/class3.crt  --no-check-certificate

Activating the certificates in Zimbra: 

cat root.crt class3.crt > ca_chain.crt
/opt/zimbra/bin/zmcertmgr verifycrt comm
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt

Check the certificates: 

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Restart Zimbra 

/etc/init.d/zimbra restart

Configure apache as ssl-proxy for Zimbra
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache: 

<VirtualHost *:443>
   DocumentRoot "/var/www/html/breedveld.net"
   ServerName mailserver.breedveld.net
   ProxyRequests Off
   <Proxy *>
     Order allow,deny
     Allow from all
   </Proxy>
   SSLProxyEngine On
   SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt
   ProxyPass / https://mailserver.breedveld.net:443/
   ProxyPassReverse / https://mailserver.breedveld.net:443/
</VirtualHost>

Using the Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there

Your Apache ssl.conf (or httpd.conf) should contain the following rows: 

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/commercial.crt
SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key
SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt
SSLCACertificateFile /etc/pki/tls/certs/class3.crt


Don't forget to restart or reload Apache

Retrieved from "https://wiki.breedveld.net/index.php?title=CaCert_Certificate&oldid=6699"