[Users] New 8.7.5 Securemail Zimlet
Frédéric Nass
frederic.nass at univ-lorraine.fr
Thu May 17 17:27:49 CEST 2018
Hi folks,
I finally found the right certificate to add to Zimbra keystore :
http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt
Thanks to Stefan and his advice on using cert-chain-resolver.sh from
https://github.com/zakjan/cert-chain-resolver, I could get the right
root and intermediate CA certs that Zimbra needed (out of my personal
cert file):
What you need to do is:
- export personnal certificate from firefox to create .p12 file
- converted the certificate to PEM with:
openssl pkcs12 -in myPersonalCert.p12 -out myPersonnalCert.pem -nodes
- use cert-chain-resolver.sh to create chain:
cert-chain-resolver.sh -o comodo-root-and-intermediate.pem
my-personnal-cert.pem
- comodo-root-and-intermediate.pem should contain root and intermediate
CA certificates. Keep root cert only and add it to Zimbra:
zmcertmgr addcacert /tmp/comodo-root.crt
No need to restart mailboxd and you can keep zimbraSmimeOCSPEnabled to TRUE.
Regards,
Frédéric.
Le 17/05/2018 à 10:21, Frédéric Nass a écrit :
> Hi Stefan,
>
> Here is what I did :
>
> - Enable securemail zimlet in Zimbra preferences
> - Generate a comodo personnal cert from here:
> https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate
> - Download / Install my personal cert in Firefox. Export my personal
> cert from Firefox keystore to file.
> - Upload my personal cert in Zimbra Preferences / Secure Email.
> *Verification fail*
> - Search Google for Comodo root and intermediate certs which led me
> here:
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates
> and here :
> https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl
> and there :
> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
> - I downloaded and added all root and intermediate #1 and #2 certs
> - I added those certs to the keystore and check with keytool that they
> were correctly imported in the keystore
> - I restarted mailboxd
> - Upload my personal cert again in Zimbra Preferences / Secure Email.
> *Still fails*
>
> I have also tried to cat comodorsaaddtrustca.crt
> comodosha256clientauthenticationandsecureemailca.crt >
> ca_cert_and_chain.crt then /opt/zimbra/bin/zmcertmgr addcacert
> /tmp/COMODO/ca_cert_and_chain.crt
> *Still fails*.
>
> Regards,
>
> Frédéric.
>
> ----- Le 17 Mai 18, à 10:09, Stefan Sänger <stefan.saenger at gr13.net> a
> écrit :
>
> Hi Frederic,
>
> are you importing only the root certificate or the complete chain
> (without your personal certificate) ?
>
>
> best regards,
>
> Stefan
>
> Am 17.05.2018 um 10:06 schrieb Frédéric Nass:
> >
> > Thanks for all these informations Barry. I have root access and
> I could
> > add certs to the keystore but verification still fails when
> uploading my
> > personnal cert in Zimbra preferences (because the verification
> against
> > all Comodo certs that I add to the keystore still fails).
> >
> > I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool
> to import
> > certificate to the keystore. It must be equivalent to "keytool
> -import
> > -alias xxxxxxx -keystore
> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass
> > changeit -file /tmp/comodo.crt"
> >
> > Frédéric.
> >
> >
> > ----- Le 17 Mai 18, à 9:33, Barry de Graaff
> <info at barrydegraaff.tk> a
> > écrit :
> >
> > Ahh, AFAIK you do not have to concatenate them.
> >
> > Instead you can add all required intermediates to the store,
> > you need to restart zimbra for the changes to be loaded.
> >
> > I do not use S/MIME so I cannot give the exact example, but
> > for trusting a CA using intermediates I do:
> >
> > wget
> > https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
> > -O lets.pem
> > /opt/zimbra/common/bin/keytool -import -alias letsenc-ca
> -keystore
> > /opt/zimbra/common/etc/java/cacerts -storepass changeit -file
> > /root/lets.pem
> >
> > So the trick there is to get the proper .pem from you CA and
> import
> > that into
> > the keystore.
> >
> > You can also create a new keystore and put that in
> > smime_truststore variable.
> >
> > You write you cannot add a cert to the store, do you not
> have root
> > access?
> >
> >
> > Kind regards,
> >
> > Barry de Graaff
> > Zeta Alliance
> > Co-founder & Developer
> > zetalliance.org | github.com/Zimbra-Community
> >
> > +31 617 220 227 | skype: barrydegraaff.tk
> > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
> >
> > ----- Original Message -----
> > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> > To: "Barry de Graaff" <info at barrydegraaff.tk>
> > Cc: "users" <users at lists.zetalliance.org>
> > Sent: Thursday, May 17, 2018 9:26:18 AM
> > Subject: Re: [Users] New 8.7.5 Securemail Zimlet
> >
> > Hi Barry,
> >
> > I have no idea.
> >
> > Actually, Zimbra provides a keystore for smime certs
> validation. But
> > it's empty from any trusty external CA.
> >
> > [zimbra at test-zimbra ~]$ zmlocalconfig | grep -E 'keystore|smime'
> > imapd_keystore = /opt/zimbra/conf/imapd.keystore
> > imapd_keystore_password = *
> > mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
> > mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
> > mailboxd_keystore_base_password = *
> > mailboxd_keystore_password = *
> > smime_truststore = ${mailboxd_truststore}
> > smime_truststore_password = *
> >
> > [zimbra at test-zimbra ~]$ keytool -list -keystore
> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass
> > changeit
> >
> > Keystore type: JKS
> > Keystore provider: SUN
> >
> > Your keystore contains 183 entries
> >
> > tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016,
> trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
> > tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016,
> trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
> > tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016,
> trustedCertEntry,
> > ...
> > Certificate fingerprint (SHA1):
> > AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
> > my_ca, Mar 21, 2018, trustedCertEntry,
> > ...
> > Certificate fingerprint (SHA1):
> > D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
> > tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016,
> trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
> > tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016,
> trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
> > tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016,
> trustedCertEntry,
> > etc.
> >
> > But no Comodo, Verisign, etc...
> >
> > I added all the certs from
> > https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to
> > the
> > keystore. But verification still fails when uploading
> personal certs.
> >
> > Prabhat Kumar on comment 3 of bugzilla report says "Need to add
> > intermediate as well of the s/mime certificate."
> > Which I did, but still no success.
> >
> > It seems to me that I should first build a cert by
> concatenating some
> > root and intermediate certs. But which certs in what order I
> have no
> > idea :-/
> >
> > Regards,
> > Frédéric.
> >
> >
> > Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
> > > Is this an open-source component, especially the server
> side part?
> > >
> > > If so you can look in there an see if you can use a different
> > keystore.
> > >
> > > Kind regards,
> > >
> > > Barry de Graaff
> > > Zeta Alliance
> > > Co-founder & Developer
> > > zetalliance.org | github.com/Zimbra-Community
> > >
> > > +31 617 220 227 | skype: barrydegraaff.tk
> > > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
> > >
> > > ----- Original Message -----
> > > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> > > To: "users" <users at lists.zetalliance.org>
> > > Sent: Thursday, May 17, 2018 8:32:16 AM
> > > Subject: [Users] New 8.7.5 Securemail Zimlet
> > >
> > > Hi,
> > >
> > > Has anyone succeded in using the new 8.7.5 securemail Zimlet
> > > (com_zimbra_securemail)?
> > >
> > > Personnal certificates uploads fail unless you disable the
> > certificate
> > > verification check or add the root CA to Zimbra keystore
> which I
> > can't
> > > do. This has been explained here :
> > > https://bugzilla.zimbra.com/show_bug.cgi?id=107887
> > > Problem is that Zimbra does not provide any external CA
> keystore to
> > > validate personnal certificates.
> > >
> > > There is no documentation and Zimbra support is as usual
> of no help.
> > >
> > > Regards,
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180517/af8da735/attachment.html>
More information about the Users
mailing list