Close menu

Deploy an SSL Certificate

Security

On a typical Carbonio CE installation, the rules in this section describe how to implement security.

Place an SSL Certificate in Use

This section describes adding an SSL/TLS certificate to a Carbonio CE installation, including how to add a wildcard certificate as well as a certificate for a single server. Let’s Encrypt certificate installation and maintenance are supported by Carbonio CE; instructions for doing so may be found in a specific post on the Zextras Community portal.

This configuration is required if Carbonio CE is used with mobile apps; it is also advised for any installation to prevent the client browser’s connection-related warning about an invalid certificate.

See also

You can manage SSL domain certificates from the Carbonio Admin Panel: check out Virtual Hosts & Certificate.

Installation of Commercial Certificates

We’ll explain the process while accounting for the following circumstance:

  • The FQDN of the server is mail.example.com.
  • There isn’t a valid SSL certificate for the domain.

Replace mail.example.com with your actual server’s FQDN in the remaining text.

There are a few phases to the process, and the Carbonio CE server must be accessible via console.

Step 1: Creation of a Certificate Signing Request

We begin by producing a CSR:

# /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com" \
-subjectAltNames mail.example.com

where the subject’s different elements correspond to the required fields for an SSL certificate:

  • C: The country’s two-digit code
  • ST: Province or State
  • L: City
  • Name of the Organisation
  • OU stands for Organisation Unit (Department).
  • Comman Name : CN
 

Note

You can optionally include more than one (alternative) name by simply adding to the end of the command one ore more -subjectAltNames options, followed by the name to add.

These files will be created after the command has been run:

# /opt/zextras/ssl/carbonio/commercial/commercial.key
# /opt/zextras/ssl/carbonio/commercial/commercial.csr
Get the certificates from your SSL supplier in step two.

You must submit the CSR to the SSL provider, obtain a commercial certificate in PEM format, and store it as /opt/zextras/ssl/carbonio/commercial/commercial.crt in order to properly finish this step.

Additionally, SSL providers give a packaged certificate file (referred to as a “Full Chain CA”) that must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt This file also contains the intermediate certificate and the so-called Root CA.

How to create a Full Chain CA

However, in some cases, the SSL provider may only provide the intermediate certificate, in which case you need to create the Full CA Chain in order to install the certificate (for further information: https://knowledge.digicert.com/solution/SO16297.html)

If you don’t have a full CA chain bundle, download and save the root and the intermediate CA from your provider to temporary files, for example /tmp/ca_root.crt and /tmp/ca_intermediary.crt, then merge the two previously created temporary files into a single one:

# cat /tmp/ca_intermediary.crt /tmp/ca_root.crt > \
/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt

Step 3: Verify and implement

To ensure that the certificate and your private key are compatible, use the instructions below:

enter the directory containing the certificates as the zextras userr

# su - zextras
  • Check the certifications
zextras$ cd /opt/zextras/ssl/carbonio/commercial


zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

You can use the SSL certificate after a successful verification.

# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Restart Carbonio CE to finish.

# zmcontrol restart

Your certificate ought to now be set up: Run the following command to confirm the certificate’s details:

# zmcertmgr viewdeployedcrt
Installing Wildcard Certificates

We employ the same server with the FQDN mail.example.com to illustrate this process, but in this instance a wildcard SSL certificate for the domain *.example.com already exists and was created on a server different than Carbonio CE’s.

As a result, you possess all the required documents, making the process easier in this instance.

Step 1: Certificate setup

The current PEM certificate must be saved as  /opt/zextras/ssl/carbonio/commercial/commercial.crt and its private key must be saved as /opt/zextras/ssl/carbonio/commercial/commercial.key.
 
To combine the two certificates into one, navigate to/opt/zextras/ssl/carbonio/commercial/  and do as follows:
 
# cat commercial.crt commercial.key > commercial_ca.crt
Verification and deployment in Step 2
 
To ensure that the certificate and your private key are compatible, use the instructions below:
  • enter the directory containing the certificates as the zextras userr
# su - zextras

Check the certifications:

zextras$ cd /opt/zextras/ssl/carbonio/commercial
You can use the SSL certificate after a successful verification.
 
zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Restart Carbonio CE to finish.
 
# zmcontrol restart
Your certificate ought to now be set up: Run the following command to confirm the certificate’s details:
 
# zmcertmgr viewdeployedcrt