[Users] New 8.7.5 Securemail Zimlet

Barry de Graaff info at barrydegraaff.tk
Thu May 17 10:12:43 CEST 2018 

I always use this command from the CLI to check if my cert works, 
you should try and fix your issue from the CLI first, then after that 
says `Valid Certificate...OK` you can try the web interface. 

/opt/zimbra/bin/zmcertmgr verifycrt comm private.key your.crt intermediate.crt 
This way you know for sure you have the correct intermediate. 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
zetalliance.org | github.com/Zimbra-Community 

+31 617 220 227 | skype: barrydegraaff.tk 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 


From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr> 
To: "Barry de Graaff" <info at barrydegraaff.tk> 
Cc: "users" <users at lists.zetalliance.org> 
Sent: Thursday, May 17, 2018 10:06:40 AM 
Subject: Re: [Users] New 8.7.5 Securemail Zimlet 


Thanks for all these informations Barry. I have root access and I could add certs to the keystore but verification still fails when uploading my personnal cert in Zimbra preferences (because the verification against all Comodo certs that I add to the keystore still fails). 

I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool to import certificate to the keystore. It must be equivalent to "keytool -import -alias xxxxxxx -keystore /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -file /tmp/comodo.crt" 

Frédéric. 


----- Le 17 Mai 18, à 9:33, Barry de Graaff <info at barrydegraaff.tk> a écrit : 


Ahh, AFAIK you do not have to concatenate them. 

Instead you can add all required intermediates to the store, 
you need to restart zimbra for the changes to be loaded. 

I do not use S/MIME so I cannot give the exact example, but 
for trusting a CA using intermediates I do: 

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O lets.pem 
/opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit -file /root/lets.pem 

So the trick there is to get the proper .pem from you CA and import that into 
the keystore. 

You can also create a new keystore and put that in 
smime_truststore variable. 

You write you cannot add a cert to the store, do you not have root access? 


Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
zetalliance.org | github.com/Zimbra-Community 

+31 617 220 227 | skype: barrydegraaff.tk 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 

----- Original Message ----- 
From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr> 
To: "Barry de Graaff" <info at barrydegraaff.tk> 
Cc: "users" <users at lists.zetalliance.org> 
Sent: Thursday, May 17, 2018 9:26:18 AM 
Subject: Re: [Users] New 8.7.5 Securemail Zimlet 

Hi Barry, 

I have no idea. 

Actually, Zimbra provides a keystore for smime certs validation. But 
it's empty from any trusty external CA. 

[zimbra at test-zimbra ~]$ zmlocalconfig | grep -E 'keystore|smime' 
imapd_keystore = /opt/zimbra/conf/imapd.keystore 
imapd_keystore_password = * 
mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore 
mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base 
mailboxd_keystore_base_password = * 
mailboxd_keystore_password = * 
smime_truststore = ${mailboxd_truststore} 
smime_truststore_password = * 

[zimbra at test-zimbra ~]$ keytool -list -keystore 
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit 

Keystore type: JKS 
Keystore provider: SUN 

Your keystore contains 183 entries 

tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 
85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F 
tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 
8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58 
tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016, trustedCertEntry, 
... 
Certificate fingerprint (SHA1): 
AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA 
my_ca, Mar 21, 2018, trustedCertEntry, 
... 
Certificate fingerprint (SHA1): 
D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 
tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 
48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D 
tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 
28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8 
tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016, trustedCertEntry, 
etc. 

But no Comodo, Verisign, etc... 

I added all the certs from 
https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to the 
keystore. But verification still fails when uploading personal certs. 

Prabhat Kumar on comment 3 of bugzilla report says "Need to add 
intermediate as well of the s/mime certificate." 
Which I did, but still no success. 

It seems to me that I should first build a cert by concatenating some 
root and intermediate certs. But which certs in what order I have no 
idea :-/ 

Regards, 
Frédéric. 


Le 17/05/2018 à 09:04, Barry de Graaff a écrit : 
> Is this an open-source component, especially the server side part? 
> 
> If so you can look in there an see if you can use a different keystore. 
> 
> Kind regards, 
> 
> Barry de Graaff 
> Zeta Alliance 
> Co-founder & Developer 
> zetalliance.org | github.com/Zimbra-Community 
> 
> +31 617 220 227 | skype: barrydegraaff.tk 
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 
> 
> ----- Original Message ----- 
> From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr> 
> To: "users" <users at lists.zetalliance.org> 
> Sent: Thursday, May 17, 2018 8:32:16 AM 
> Subject: [Users] New 8.7.5 Securemail Zimlet 
> 
> Hi, 
> 
> Has anyone succeded in using the new 8.7.5 securemail Zimlet 
> (com_zimbra_securemail)? 
> 
> Personnal certificates uploads fail unless you disable the certificate 
> verification check or add the root CA to Zimbra keystore which I can't 
> do. This has been explained here : 
> https://bugzilla.zimbra.com/show_bug.cgi?id=107887 
> Problem is that Zimbra does not provide any external CA keystore to 
> validate personnal certificates. 
> 
> There is no documentation and Zimbra support is as usual of no help. 
> 
> Regards, 
> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180517/c9caa472/attachment.html>

More information about the Users mailing list