Infrastructure Domain SSL certificate#
This section contains guidelines to enforce security on a typical Carbonio installation.
Deploy a Commercial SSL Certificate#
In this section we explain how to add an SSL/TLS certificate to a Carbonio installation. Carbonio supports the installation and management of Let’s Encrypt certificates: you can find directions for that in Carbonio Admin Panel, please refer to the dedicated article.
This setup is mandatory if Carbonio is used in conjunction with mobile apps; it is also suggested for any installation in order to avoid the client browser’s warning about an invalid certificate upon connection.
To learn more about infrastructure, wildcard, and domain certificates and understand which one you need, please refer to Section Virtual Hosts & Domain Certificates.
See also
You can manage SSL domain certificates from the Carbonio Admin Panel: check out Section Virtual Hosts & Domain Certificates.
Commercial Certificate Installation#
We will describe the procedure by taking into account the following scenario:
The server FQDN is mail.example.com
No SSL certificate is available for the domain (no existing and usable wildcard-type certificate)
In the remainder, replace mail.example.com with your actual server FQDN.
The procedure consists of a few steps and requires console access to the Carbonio server.
Note
If you already have the certificate, you can skip Steps 1. and 2. and go immediately to Step 3 below.
Step 1. Certificate Signing Request generation
If you do not have a certificate yet, and you have to request a new one, you need to generate a CSR. You need first to decide whether you need a normal or wildcard certificate, then use either of these commands, providing suitable values according to your organisation.
$ /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com" \
-subjectAltNames mail.example.com
Note
You can optionally include more than one (alternative) name
by simply adding to the end of the command one ore more
-subjectAltNames
options, followed by the name to add.
$ /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=*.example.com"
In the above commands, the various elements in the -subject
are the standard fields of an SSL certificate:
C: the 2-digit country code
ST: State or Province
L: City
O: Organization Name
OU: Organization Unit (Department)
CN: Common Name
Once the command is executed these files will be generated:
# /opt/zextras/ssl/carbonio/commercial/commercial.key
# /opt/zextras/ssl/carbonio/commercial/commercial.csr
Step 2. Get the certificates from your SSL provider
To complete this step successfully, you need to submit the CSR to the
SSL provider, get a commercial certificate in PEM format, and
save it as commercial.crt
.
Moreover, SSL providers supply also the intermediate certificate
and the so-called Root CA in a bundled certificate file (“Full
Chain CA”), that must be saved as
commercial_ca.crt
.
Step 3. Verification and deploy
Issue the following commands to verify that the certificate and your private key match:
-
become the
zextras
user# su - zextras
upload the certificates received from the Authority to the
/tmp
directory-
verify the certificates
zextras$ cd /tmp zextras$ zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key commercial.crt commercial_ca.crt
If the verification is successful, you can deploy the SSL certificate.
$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Finally, restart Carbonio.
$ zmcontrol restart
Your certificate should now be installed: verify the certificate details by running this command:
$ zmcertmgr viewdeployedcrt