Infrastructure SSL certificates

Have a Question?

This section provides suggestions for enforcing security on a typical Carbonio CE installation.

Deploy an SSL Certificate

This section describes how to add an SSL/TLS certificate to a Carbonio CE installation, including a single server and a wildcard certificate. Carbonio CE allows you to install and maintain Let’s Encrypt certificates; instructions may be found in a dedicated post on the Zextras Community portal.

This configuration is required if Carbonio CE is used with mobile apps; it is also recommended for any installation to avoid the client browser warning about an invalid certificate during connection.

Commercial Certificate Installation

We will discuss the process by considering the following scenario:

The server’s FQDN is mail.example.com.

There is no SSL certificate available for the domain.

In the remainder, replace mail.example.com with your actual server’s FQDN.

The technique involves a few stages and requires console access to the Carbonio CE server.

Where the different parts in the topic are the usual fields of an SSL certificate:

  • C: a two-digit country code
  • ST: State or province
  • L: City.
  • O: Organization’s Name
  • OU: Organisation Unit (Department).
  • CN: Common Name.

Once the command is performed, the following files will be generated:

Step 2: Get certificates from your SSL provider.

To properly finish this step, you must submit the CSR to the SSL provider, obtain a commercial certificate in PEM format, and store it at /opt/zextras/ssl/carbonio/commercial/commercial.crt.

Furthermore, SSL providers include both the intermediate certificate and the so-called Root CA in a packaged certificate file (“Full Chain CA”) that must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.

Step 3: Verify and deploy.

To check that the certificate and your private key match, use the following commands:

Become a Zextras user.

Navigate to the directory where the certificates are stored:

Verify the certificates.

If the verification is successful, you can install the SSL certificate.

Finally, start Carbonio CE.

Your certificate should now be installed. Run the following command to validate the certificate details:

Wildcard Certificate Installation

To demonstrate this technique, we utilise the same server as the FQDN mail.example.com, but this time there is already a wildcard SSL certificate for domain *.example.com produced on a server different than Carbonio CE’s.

As a result, you have all of the required credentials, and the approach in this case is simpler.

Step 1: Set up certifications

The current PEM certificate and its private key should be saved as /opt/zextras/ssl/carbonio/commercial/commercial.crt and /opt/zextras/ssl/carbonio/commercial/commercial.key, respectively.

Now, navigate to /opt/zextras/ssl/carbonio/commercial/ and combine the two certificates into one:

Step 2: Verify and deploy.

  • To check that the certificate and your private key match, use the following commands:
  • To access the certificates, log in as the zextras user and navigate to the relevant directory.

Verify the certificates.

If the verification is successful, you can install the SSL certificate.

Finally, start Carbonio CE.

Your certificate should now be installed. Run the following command to validate the certificate details: