Infrastructure SSL certificate#

This section contains guidelines to enforce security on a typical Carbonio CE installation.

Deploy an SSL Certificate#

In this section we explain how to add an SSL/TLS certificate to a Carbonio CE installation, both a single server and a wildcard certificate. Carbonio CE supports the installation and management of Let’s Encrypt certificates: you can find directions for that in a dedicated article on Zextras Community portal.

This setup is mandatory if Carbonio CE is used in conjunction with mobile apps; it is also suggested for any installation in order to avoid the client browser’s warning about an invalid certificate upon connection.

See also

You can manage SSL domain certificates from the Carbonio Admin Panel: check out Virtual Hosts & Certificate.

Commercial Certificate Installation#

We will describe the procedure by taking into account the following scenario:

  • The server FQDN is mail.example.com

  • No SSL certificate is available for the domain.

In the remainder, replace mail.example.com with your actual server FQDN.

The procedure consists of a few steps and requires console access to the Carbonio CE server.

Step 1. Certificate Signing Request generation

We start by generating a CSR:

# /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com" \
-subjectAltNames mail.example.com

Where the various elements in the subject are the standard fields of an SSL certificate:

  • C: the 2-digit country code

  • ST: State or Province

  • L: City

  • O: Organization Name

  • OU: Organization Unit (Department)

  • CN: Common Name

Note

You can optionally include more than one (alternative) name by simply adding to the end of the command one ore more -subjectAltNames options, followed by the name to add.

Once the command is executed these files will be generated:

# /opt/zextras/ssl/carbonio/commercial/commercial.key
# /opt/zextras/ssl/carbonio/commercial/commercial.csr

Step 2. Get the certificates from your SSL provider

To complete this step successfully, you need to submit the CSR to the SSL provider and get a commercial certificate in PEM format and save it as /opt/zextras/ssl/carbonio/commercial/commercial.crt.

Moreover, SSL providers supply also the intermediate certificate and the so-called Root CA in a bundled certificate file (“Full Chain CA”), that must be saved as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.

Step 3. Verification and deploy

Issue the following commands to verify that the certificate and your private key match:

  • become the zextras user

    # su - zextras
    
  • go to the directory where the certificates are stored:

    zextras$ cd /opt/zextras/ssl/carbonio/commercial
    
  • verify the certificates

    zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
    

If the verification is successful, you can deploy the SSL certificate.

# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Finally, restart Carbonio CE.

# zmcontrol restart

Your certificate should now be installed: verify the certificate details by running this command:

# zmcertmgr viewdeployedcrt

Wildcard Certificate Installation#

To describe this procedure, we use the same server with FQDN mail.example.com, but in this case there is already a wildcard SSL certificate for domain *.example.com, that was generated on a server other than Carbonio CE's.

Therefore, you have all the necessary certificates and the procedure in this case is simpler

Step 1. Set up of certificates

The existing PEM certificate and its private key must be save as /opt/zextras/ssl/carbonio/commercial/commercial.crt and /opt/zextras/ssl/carbonio/commercial/commercial.key respectively.

Now, go to /opt/zextras/ssl/carbonio/commercial/ and merge the two certificates into a single one:

# cat commercial.crt commercial.key > commercial_ca.crt

Step 2. Verification and deploy

Issue the following commands to verify that the certificate and your private key match:

  • become the zextras user

    # su - zextras
    
  • go to the directory where the certificates are stored:

    zextras$ cd /opt/zextras/ssl/carbonio/commercial
    
  • verify the certificates

    zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
    

If the verification is successful, you can deploy the SSL certificate.

# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Finally, restart Carbonio CE.

# zmcontrol restart

Your certificate should now be installed: verify the certificate details by running this command:

# zmcertmgr viewdeployedcrt