CaCert Certificate

From wiki.breedveld.net
Revision as of 10:10, 9 December 2013 by Roland (Talk | contribs)

Jump to: navigation, search

CaCert wildcard certificate setup in your Zimbra mail server

create an CaCert account and domain in https://www.cacert.org

create a server certificate for a wild-card domain in Zimbra (as root) :

mkdir -p /data/Cerificaten/CaCert
cd /data/Cerificaten/CaCert
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/CN=*.breedveld.net/C=NL/O=Breedveld/OU=Breedveld" -subjectAltNames mail.breedveld.net
cat /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.csr

(change the domain in your domain)

On the CaCert site, if you didn't do that already, register yourself and your domain.

For renew certificates, from here
create or renew on the CaCert site a new server certificate, with the above generated cert.

cut-and-paste the received certificate from the CaCert site in commercial.crt and place it in the right zimbra dir:

cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt

retreive the CaCert root certs:

wget https://www.cacert.org/certs/root.crt  --no-check-certificate
wget https://www.cacert.org/certs/class3.crt  --no-check-certificate

Activating the certificates in Zimbra:

cat root.crt class3.crt > ca_chain.crt
/opt/zimbra/bin/zmcertmgr verifycrt comm
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt

Check the certificates:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Restart Zimbra

/etc/init.d/zimbra restart

Configure apache as ssl-proxy for Zimbra with the same certificate
place the commercial.crt (see above) in:
/etc/pki/tls/certs/commercial.crt
change your virtual-host settings in apache:

<VirtualHost *:443>
   DocumentRoot "/var/www/html/breedveld.net"
   ServerName mailserver.breedveld.net
   ProxyRequests Off
   <Proxy *>
     Order allow,deny
     Allow from all
   </Proxy>
   SSLProxyEngine On
   SSLProxyCACertificateFile /etc/pki/tls/certs/commercial.crt
   ProxyPass / https://mailserver.breedveld.net:443/
   ProxyPassReverse / https://mailserver.breedveld.net:443/
</VirtualHost>

Using the same Zimbra wild-card certificate on your apache server
Copy the Zimbra certificate files commercial.crt commercial.key and class3.crt
from your zimbra server: /opt/zimbra/ssl/zimbra/commercial
to your apache server: /etc/pki/tls/certs/
Copy the above created concatenated chainfile ca_chain.crt also there

Your Apache ssl.conf (or httpd.conf) should contain the following rows:

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/commercial.crt
SSLCertificateKeyFile /etc/pki/tls/certs/commercial.key
SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt
SSLCACertificateFile /etc/pki/tls/certs/class3.crt

Don't forget to restart or reload Apache

Installing CaCert certificates in Ubuntu and Firefox
While Ubuntu and Mozilla don't deliver their product out of the box with the CaCert root certificate (shame them), you need to install them yourself:

sudo apt-get install ca-certificates

After this activate it in firefox:

firefox /usr/share/ca-certificates/cacert.org/*.crt

Installing CaCert certificates in Google Chromium browser
Google Chrome uses Mozilla's NSS for the certificates, you need the certutil tool to manage it:

sudo apt-get install libnss3-tools
sudo apt-get install curl

import the root certs for Chrome:

curl -k -o "cacert-root.crt"   "http://www.cacert.org/certs/root.crt"
curl -k -o "cacert-class3.crt" "http://www.cacert.org/certs/class3.crt"
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i cacert-root.crt 
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org Class 3" -i cacert-class3.crt

Import CaCert root CA in single user Internet Explorer

Open this link in your browser
http://www.cacert.org/index.php?id=17
click yes (3 screens) to add this certificate.
during this action, check the bar above in your browser, it is possible that you should allow active-x access for this site once.

Import into Microsoft Windows for multiple users
If you have more than one account on your computer you don't want to install the CAcert Root Certificate for every single user. Therefore you can manually import the CAcert Root Certificates into the Local Machine Store. This procedure works only for Microsoft programs (e.g. Internet Explorer and Outlook), so you will also need to import the certificate into non-Microsoft browsers and e-mail programs.

Go to the CAcert Root Certificate website: http://www.cacert.org/index.php?id=3 
Download the 'Root Certificate' and the 'Intermediate Certificate' (choose either DER or PEM Format - it doesn't matter) 
Log in as an Administrator 
Click the windows Start button and choose Run 
Type MMC, then hit Enter 
From the new window open the File menu and choose Add/Remove Snap-in... 
Click the Add Button 
choose the certificates item from the listbox and click the Add Button 
choose the Computer Account radio button and click the Next Button 
choose the Local Computer radio button and click the Finish Button 
click the Close Button 
click the Ok Button 
expand the tree to view Trusted Root Certification Authorities node 
right click on the Trusted Root Certification Authorities 
find the All Tasks menu item then choose Import off that menu and click Next 
type in, or browse to the class 1 Root certificate you previously downloaded and click Next 
verify that the radio box labeled Place all certificates in the following store is checked and that  text box says Trusted Root Certification Authorities 
click Next and then Finish. You should get a message saying the import was successful. 
right click on the Intermediate Certification Authorities 
find the All Tasks menu item then choose Import off that menu and click Next 
type in, or browse to the class 3 Intermediate certificate you previously downloaded and click Next 
verify that the radio box labeled Place all certificates in the following store is checked and that  text box says Intermediate Certification Authorities 
click Next and then Finish. You should get a message saying the import was successful.