<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi folks,<br>
</p>
<p>I finally found the right certificate to add to Zimbra keystore :
<a class="moz-txt-link-freetext" href="http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt">http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt</a></p>
<p>Thanks to Stefan and his advice on using cert-chain-resolver.sh
from <a class="moz-txt-link-freetext" href="https://github.com/zakjan/cert-chain-resolver">https://github.com/zakjan/cert-chain-resolver</a>, I could get
the right root and intermediate CA certs that Zimbra needed (out
of my personal cert file):<br>
</p>
<p>What you need to do is:<br>
</p>
<p>- export personnal certificate from firefox to create .p12 file<br>
- converted the certificate to PEM
with:<br>
openssl pkcs12 -in myPersonalCert.p12 -out myPersonnalCert.pem
-nodes
<br>
- use cert-chain-resolver.sh to create chain:
<br>
cert-chain-resolver.sh -o comodo-root-and-intermediate.pem
my-personnal-cert.pem<br>
- comodo-root-and-intermediate.pem should contain root and
intermediate CA certificates. Keep root cert only and add it to
Zimbra:<br>
zmcertmgr addcacert /tmp/comodo-root.crt</p>
<p>No need to restart mailboxd and you can keep
zimbraSmimeOCSPEnabled to TRUE.<br>
</p>
Regards,<br>
Frédéric.<br>
<br>
<div class="moz-cite-prefix">Le 17/05/2018 à 10:21, Frédéric Nass a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:1810623954.131197.1526545272208.JavaMail.zimbra@univ-lorraine.fr">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Hi Stefan,<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Here is what I did :<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>- Enable securemail zimlet in Zimbra preferences<br
data-mce-bogus="1">
</div>
<div>- Generate a comodo personnal cert from here:
<a class="moz-txt-link-freetext" href="https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate">https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate</a><br
data-mce-bogus="1">
</div>
<div>- Download / Install my personal cert in Firefox. Export my
personal cert from Firefox keystore to file.<br
data-mce-bogus="1">
</div>
<div>- Upload my personal cert in Zimbra Preferences / Secure
Email. <strong>Verification fail</strong><br
data-mce-bogus="1">
</div>
<div>- Search Google for Comodo root and intermediate certs
which led me here:
<a class="moz-txt-link-freetext" href="https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates">https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates</a><br>
</div>
<div>and here :
<a class="moz-txt-link-freetext" href="https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl">https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl</a><br
data-mce-bogus="1">
</div>
<div>and there :
<a class="moz-txt-link-freetext" href="https://support.comodo.com/index.php?/Knowledgebase/List/Index/71">https://support.comodo.com/index.php?/Knowledgebase/List/Index/71</a><br
data-mce-bogus="1">
</div>
<div>- I downloaded and added all root and intermediate #1 and
#2 certs<br data-mce-bogus="1">
</div>
<div>- I added those certs to the keystore and check with
keytool that they were correctly imported in the keystore<br>
- I restarted mailboxd<br data-mce-bogus="1">
</div>
<div>- Upload my personal cert again in Zimbra Preferences /
Secure Email. <strong>Still fails</strong></div>
<div data-marker="__SIG_PRE__"><br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">I have also tried to cat
comodorsaaddtrustca.crt
comodosha256clientauthenticationandsecureemailca.crt >
ca_cert_and_chain.crt then /opt/zimbra/bin/zmcertmgr addcacert
/tmp/COMODO/ca_cert_and_chain.crt<br>
</div>
<div data-marker="__SIG_PRE__"><strong>Still fails</strong>.<br
data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__"><br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">Regards,<br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__"><br>
Frédéric.<br>
</div>
<br>
<span id="zwchr" data-marker="__DIVIDER__">----- Le 17 Mai 18, à
10:09, Stefan Sänger <a class="moz-txt-link-rfc2396E" href="mailto:stefan.saenger@gr13.net"><stefan.saenger@gr13.net></a> a écrit :<br>
</span>
<div data-marker="__QUOTED_TEXT__">
<blockquote style="border-left:2px solid
#1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">Hi
Frederic,<br>
<br>
are you importing only the root certificate or the complete
chain <br>
(without your personal certificate) ?<br>
<br>
<br>
best regards,<br>
<br>
Stefan<br>
<br>
Am 17.05.2018 um 10:06 schrieb Frédéric Nass:<br>
> <br>
> Thanks for all these informations Barry. I have root
access and I could <br>
> add certs to the keystore but verification still fails
when uploading my <br>
> personnal cert in Zimbra preferences (because the
verification against <br>
> all Comodo certs that I add to the keystore still
fails).<br>
> <br>
> I used "zmcertmgr addcacert /tmp/comodo.crt" that uses
keytool to import <br>
> certificate to the keystore. It must be equivalent to
"keytool -import <br>
> -alias xxxxxxx -keystore <br>
>
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
-storepass <br>
> changeit -file /tmp/comodo.crt"<br>
> <br>
> Frédéric.<br>
> <br>
> <br>
> ----- Le 17 Mai 18, à 9:33, Barry de Graaff
<a class="moz-txt-link-rfc2396E" href="mailto:info@barrydegraaff.tk"><info@barrydegraaff.tk></a> a <br>
> écrit :<br>
> <br>
> Ahh, AFAIK you do not have to concatenate them.<br>
> <br>
> Instead you can add all required intermediates to
the store,<br>
> you need to restart zimbra for the changes to be
loaded.<br>
> <br>
> I do not use S/MIME so I cannot give the exact
example, but<br>
> for trusting a CA using intermediates I do:<br>
> <br>
> wget<br>
>
<a class="moz-txt-link-freetext" href="https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt">https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt</a><br>
> -O lets.pem<br>
> /opt/zimbra/common/bin/keytool -import -alias
letsenc-ca -keystore<br>
> /opt/zimbra/common/etc/java/cacerts -storepass
changeit -file<br>
> /root/lets.pem<br>
> <br>
> So the trick there is to get the proper .pem from
you CA and import<br>
> that into<br>
> the keystore.<br>
> <br>
> You can also create a new keystore and put that in<br>
> smime_truststore variable.<br>
> <br>
> You write you cannot add a cert to the store, do
you not have root<br>
> access?<br>
> <br>
> <br>
> Kind regards,<br>
> <br>
> Barry de Graaff<br>
> Zeta Alliance<br>
> Co-founder & Developer<br>
> zetalliance.org | github.com/Zimbra-Community<br>
> <br>
> +31 617 220 227 | skype: barrydegraaff.tk<br>
> Fingerprint:
97f4694a1d9aedad012533db725ddd156d36a2d0<br>
> <br>
> ----- Original Message -----<br>
> From: "Frédéric Nass"
<a class="moz-txt-link-rfc2396E" href="mailto:frederic.nass@univ-lorraine.fr"><frederic.nass@univ-lorraine.fr></a><br>
> To: "Barry de Graaff" <a class="moz-txt-link-rfc2396E" href="mailto:info@barrydegraaff.tk"><info@barrydegraaff.tk></a><br>
> Cc: "users" <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.zetalliance.org"><users@lists.zetalliance.org></a><br>
> Sent: Thursday, May 17, 2018 9:26:18 AM<br>
> Subject: Re: [Users] New 8.7.5 Securemail Zimlet<br>
> <br>
> Hi Barry,<br>
> <br>
> I have no idea.<br>
> <br>
> Actually, Zimbra provides a keystore for smime
certs validation. But<br>
> it's empty from any trusty external CA.<br>
> <br>
> [zimbra@test-zimbra ~]$ zmlocalconfig | grep -E
'keystore|smime'<br>
> imapd_keystore = /opt/zimbra/conf/imapd.keystore<br>
> imapd_keystore_password = *<br>
> mailboxd_keystore =
/opt/zimbra/mailboxd/etc/keystore<br>
> mailboxd_keystore_base =
${zimbra_home}/conf/keystore.base<br>
> mailboxd_keystore_base_password = *<br>
> mailboxd_keystore_password = *<br>
> smime_truststore = ${mailboxd_truststore}<br>
> smime_truststore_password = *<br>
> <br>
> [zimbra@test-zimbra ~]$ keytool -list -keystore<br>
>
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
-storepass<br>
> changeit<br>
> <br>
> Keystore type: JKS<br>
> Keystore provider: SUN<br>
> <br>
> Your keystore contains 183 entries<br>
> <br>
> tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F<br>
> tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58<br>
> tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12,
2016, trustedCertEntry,<br>
> ...<br>
> Certificate fingerprint (SHA1):<br>
>
AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA<br>
> my_ca, Mar 21, 2018, trustedCertEntry,<br>
> ...<br>
> Certificate fingerprint (SHA1):<br>
>
D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49<br>
> tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D<br>
> tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8<br>
> tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12,
2016, trustedCertEntry,<br>
> etc.<br>
> <br>
> But no Comodo, Verisign, etc...<br>
> <br>
> I added all the certs from<br>
>
<a class="moz-txt-link-freetext" href="https://support.comodo.com/index.php?/Knowledgebase/List/Index/71">https://support.comodo.com/index.php?/Knowledgebase/List/Index/71</a>
to<br>
> the<br>
> keystore. But verification still fails when
uploading personal certs.<br>
> <br>
> Prabhat Kumar on comment 3 of bugzilla report says
"Need to add<br>
> intermediate as well of the s/mime certificate."<br>
> Which I did, but still no success.<br>
> <br>
> It seems to me that I should first build a cert by
concatenating some<br>
> root and intermediate certs. But which certs in
what order I have no<br>
> idea :-/<br>
> <br>
> Regards,<br>
> Frédéric.<br>
> <br>
> <br>
> Le 17/05/2018 à 09:04, Barry de Graaff a écrit :<br>
> > Is this an open-source component, especially
the server side part?<br>
> ><br>
> > If so you can look in there an see if you can
use a different<br>
> keystore.<br>
> ><br>
> > Kind regards,<br>
> ><br>
> > Barry de Graaff<br>
> > Zeta Alliance<br>
> > Co-founder & Developer<br>
> > zetalliance.org | github.com/Zimbra-Community<br>
> ><br>
> > +31 617 220 227 | skype: barrydegraaff.tk<br>
> > Fingerprint:
97f4694a1d9aedad012533db725ddd156d36a2d0<br>
> ><br>
> > ----- Original Message -----<br>
> > From: "Frédéric Nass"
<a class="moz-txt-link-rfc2396E" href="mailto:frederic.nass@univ-lorraine.fr"><frederic.nass@univ-lorraine.fr></a><br>
> > To: "users"
<a class="moz-txt-link-rfc2396E" href="mailto:users@lists.zetalliance.org"><users@lists.zetalliance.org></a><br>
> > Sent: Thursday, May 17, 2018 8:32:16 AM<br>
> > Subject: [Users] New 8.7.5 Securemail Zimlet<br>
> ><br>
> > Hi,<br>
> ><br>
> > Has anyone succeded in using the new 8.7.5
securemail Zimlet<br>
> > (com_zimbra_securemail)?<br>
> ><br>
> > Personnal certificates uploads fail unless
you disable the<br>
> certificate<br>
> > verification check or add the root CA to
Zimbra keystore which I<br>
> can't<br>
> > do. This has been explained here :<br>
> >
<a class="moz-txt-link-freetext" href="https://bugzilla.zimbra.com/show_bug.cgi?id=107887">https://bugzilla.zimbra.com/show_bug.cgi?id=107887</a><br>
> > Problem is that Zimbra does not provide any
external CA keystore to<br>
> > validate personnal certificates.<br>
> ><br>
> > There is no documentation and Zimbra support
is as usual of no help.<br>
> ><br>
> > Regards,<br>
> ><br>
><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>