Scribd
Upload
46 views4 pages

Infrastructure Domain SSL Certificate - Carbonio CE Admin Documentation

Uploaded by

Dario Sanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views4 pages

Infrastructure Domain SSL Certificate - Carbonio CE Admin Documentation

Uploaded by

Dario Sanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

11/11/24, 12:46 p.m.

Infrastructure Domain SSL certificate — Carbonio CE Admin Documentation

Infrastructure Domain SSL


certificate
Contents
Deploy a Commercial SSL Certificate
This section contains guidelines to enforce security on a typical Carbonio CE installation.
Deploy a Commercial SSL Certificate
In this section we explain how to add an SSL/TLS certificate to a Carbonio CE installation.
Carbonio CE supports the installation and management of Let’s Encrypt certificates: you
can find directions for that in Carbonio Admin Panel, please refer to the dedicated article.
This setup is mandatory if Carbonio CE is used in conjunction with mobile apps; it is also
suggested for any installation in order to avoid the client browser’s warning about an
invalid certificate upon connection.
To learn more about infrastructure, wildcard, and domain certificates and understand
which one you need, please refer to Section Virtual Hosts & Domain Certificates.
 See also
You can manage SSL domain certificates from the Carbonio Admin Panel: check
out Section Virtual Hosts & Domain Certificates.

Commercial Certificate Installation


We will describe the procedure by taking into account the following scenario:
The server FQDN is mail.example.com
No SSL certificate is available for the domain (no existing and usable wildcard-type
certificate)
In the remainder, replace mail.example.com with your actual server FQDN.

https://docs.zextras.com/carbonio-ce/html/postinstall/sslcert.html 1/4
11/11/24, 12:46 p.m. Infrastructure Domain SSL certificate — Carbonio CE Admin Documentation

The procedure consists of a few steps and requires console access to the Carbonio CE
server.
 Note
If you already have the certificate, you can skip Steps 1. and 2. and go
immediately to Step 3 below.

Step 1. Certificate Signing Request generation


If you do not have a certificate yet, and you have to request a new one, you need to
generate a CSR. You need first to decide whether you need a normal or wildcard
certificate, then use either of these commands, providing suitable values according to
your organisation.
Normal certificate Wildcard certificate
$ /opt/zextras/bin/zmcertmgr cr $ /opt/zextras/bin/zmcertmgr cr
"/C=IT/ST=VR/L=Yourtown/O=YourC "/C=IT/ST=VR/L=Yourtown/O=YourC
-subjectAltNames mail.example.c

 Note
You can optionally include
more than one (alternative)
name by simply adding to
the end of the command one
ore more
-subjectAltNames options,
followed by the name to add.

In the above commands, the various elements in the -subject are the standard
fields of an SSL certificate:
C: the 2-digit country code
ST: State or Province
L: City
O: Organization Name
https://docs.zextras.com/carbonio-ce/html/postinstall/sslcert.html 2/4
11/11/24, 12:46 p.m. Infrastructure Domain SSL certificate — Carbonio CE Admin Documentation

OU: Organization Unit (Department)


CN: Common Name

Once the command is executed these files will be generated:


# /opt/zextras/ssl/carbonio/commercial/commercial.key
# /opt/zextras/ssl/carbonio/commercial/commercial.csr

Step 2. Get the certificates from your SSL provider


To complete this step successfully, you need to submit the CSR to the SSL provider, get a
commercial certificate in PEM format, and save it as commercial.crt .
Moreover, SSL providers supply also the intermediate certificate and the so-called Root
CA in a bundled certificate file (“Full Chain CA”), that must be saved as
commercial_ca.crt .

How to create a Full Chain CA


However, in some cases, the SSL provider may only provide
the intermediate certificate, in which case you need to
create the Full CA Chain in order to install the certificate (for
further information:

https://knowledge.digicert.com/solution/SO16297.html)
If you don’t have a full CA chain bundle, download and save
the root and the intermediate CA from your provider to
temporary files, for example /tmp/ca_root.crt and
/tmp/ca_intermediary.crt, then merge the two previously
created temporary files into a single one:

# cat /tmp/ca_intermediary.crt /tmp/ca_root.crt > \


/tmp/commercial_ca.crt

Step 3. Verification and deploy


Issue the following commands to verify that the certificate and your private key match:
https://docs.zextras.com/carbonio-ce/html/postinstall/sslcert.html 3/4
11/11/24, 12:46 p.m. Infrastructure Domain SSL certificate — Carbonio CE Admin Documentation

become the zextras user


# su - zextras

upload the certificates received from the Authority to the /tmp directory
verify the certificates
zextras$ cd /tmp
zextras$ zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/c

If the verification is successful, you can deploy the SSL certificate.


$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Finally, restart Carbonio CE.


$ zmcontrol restart

Your certificate should now be installed: verify the certificate details by running this
command:
$ zmcertmgr viewdeployedcrt

https://docs.zextras.com/carbonio-ce/html/postinstall/sslcert.html 4/4

You might also like