[Users] New 8.7.5 Securemail Zimlet
Stefan Sänger
stefan.saenger at gr13.net
Thu May 17 10:09:04 CEST 2018
Hi Frederic,
are you importing only the root certificate or the complete chain
(without your personal certificate) ?
best regards,
Stefan
Am 17.05.2018 um 10:06 schrieb Frédéric Nass:
>
> Thanks for all these informations Barry. I have root access and I could
> add certs to the keystore but verification still fails when uploading my
> personnal cert in Zimbra preferences (because the verification against
> all Comodo certs that I add to the keystore still fails).
>
> I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool to import
> certificate to the keystore. It must be equivalent to "keytool -import
> -alias xxxxxxx -keystore
> /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass
> changeit -file /tmp/comodo.crt"
>
> Frédéric.
>
>
> ----- Le 17 Mai 18, à 9:33, Barry de Graaff <info at barrydegraaff.tk> a
> écrit :
>
> Ahh, AFAIK you do not have to concatenate them.
>
> Instead you can add all required intermediates to the store,
> you need to restart zimbra for the changes to be loaded.
>
> I do not use S/MIME so I cannot give the exact example, but
> for trusting a CA using intermediates I do:
>
> wget
> https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
> -O lets.pem
> /opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore
> /opt/zimbra/common/etc/java/cacerts -storepass changeit -file
> /root/lets.pem
>
> So the trick there is to get the proper .pem from you CA and import
> that into
> the keystore.
>
> You can also create a new keystore and put that in
> smime_truststore variable.
>
> You write you cannot add a cert to the store, do you not have root
> access?
>
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
>
> +31 617 220 227 | skype: barrydegraaff.tk
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
> ----- Original Message -----
> From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> To: "Barry de Graaff" <info at barrydegraaff.tk>
> Cc: "users" <users at lists.zetalliance.org>
> Sent: Thursday, May 17, 2018 9:26:18 AM
> Subject: Re: [Users] New 8.7.5 Securemail Zimlet
>
> Hi Barry,
>
> I have no idea.
>
> Actually, Zimbra provides a keystore for smime certs validation. But
> it's empty from any trusty external CA.
>
> [zimbra at test-zimbra ~]$ zmlocalconfig | grep -E 'keystore|smime'
> imapd_keystore = /opt/zimbra/conf/imapd.keystore
> imapd_keystore_password = *
> mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
> mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
> mailboxd_keystore_base_password = *
> mailboxd_keystore_password = *
> smime_truststore = ${mailboxd_truststore}
> smime_truststore_password = *
>
> [zimbra at test-zimbra ~]$ keytool -list -keystore
> /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass
> changeit
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 183 entries
>
> tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
> tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
> tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016, trustedCertEntry,
> ...
> Certificate fingerprint (SHA1):
> AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
> my_ca, Mar 21, 2018, trustedCertEntry,
> ...
> Certificate fingerprint (SHA1):
> D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
> tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
> tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
> tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016, trustedCertEntry,
> etc.
>
> But no Comodo, Verisign, etc...
>
> I added all the certs from
> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to
> the
> keystore. But verification still fails when uploading personal certs.
>
> Prabhat Kumar on comment 3 of bugzilla report says "Need to add
> intermediate as well of the s/mime certificate."
> Which I did, but still no success.
>
> It seems to me that I should first build a cert by concatenating some
> root and intermediate certs. But which certs in what order I have no
> idea :-/
>
> Regards,
> Frédéric.
>
>
> Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
> > Is this an open-source component, especially the server side part?
> >
> > If so you can look in there an see if you can use a different
> keystore.
> >
> > Kind regards,
> >
> > Barry de Graaff
> > Zeta Alliance
> > Co-founder & Developer
> > zetalliance.org | github.com/Zimbra-Community
> >
> > +31 617 220 227 | skype: barrydegraaff.tk
> > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
> >
> > ----- Original Message -----
> > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> > To: "users" <users at lists.zetalliance.org>
> > Sent: Thursday, May 17, 2018 8:32:16 AM
> > Subject: [Users] New 8.7.5 Securemail Zimlet
> >
> > Hi,
> >
> > Has anyone succeded in using the new 8.7.5 securemail Zimlet
> > (com_zimbra_securemail)?
> >
> > Personnal certificates uploads fail unless you disable the
> certificate
> > verification check or add the root CA to Zimbra keystore which I
> can't
> > do. This has been explained here :
> > https://bugzilla.zimbra.com/show_bug.cgi?id=107887
> > Problem is that Zimbra does not provide any external CA keystore to
> > validate personnal certificates.
> >
> > There is no documentation and Zimbra support is as usual of no help.
> >
> > Regards,
> >
>
More information about the Users
mailing list