This section covers security considerations for a typical Carbonio installation.
Install an SSL Certificate
This section describes how to add an SSL/TLS certificate to a Carbonio installation, including both a single server certificate and a wildcard certificate. Carbonio supports the installation and maintenance of Let’s Encrypt certificates; detailed instructions are available on the Zextras Community page.
This configuration is required if Carbonio is used in combination with mobile applications; it is also recommended for any installation to prevent the client browser’s warning about an invalid certificate upon connecting.
Installation of Commercial Certificates
We will describe the technique by using the following scenario:
- The FQDN of the server is mail.example.com.
- The domain does not have an SSL certificate.
Replace mail.example.com with your actual server FQDN in the remainder.
The technique is simple and involves console access to the Carbonio server.
Step 1: Create a Certificate Signing Request.
We begin by producing a CSR: where the different items in the topic are the normal SSL certificate fields:
- C: the two-letter country code
- ST stands for State or Province.
- L: City
- Name of Organisation
- OU stands for Organisation Unit (Department).
- CN stands for Common Name.
Following the execution of the command, the following files will be generated:
Step 2: Obtain your SSL certificates from your SSL supplier.
To successfully finish this step, send the CSR to the SSL provider and obtain a commercial certificate in PEM format, which you should store as /opt/zextras/ssl/carbonio/commercial/commercial.crt.
Furthermore, SSL providers include the intermediate certificate as well as the so-called Root CA in a packaged certificate file (“Full Chain CA”), which must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.
Step 3: Validation and deployment
To ensure that the certificate and your private key match, run the following commands:
Go to the directory where the certificates are kept as the zextras user:
- check the certificates
- If the verification is successful, the SSL certificate can be deployed.
- Finally, relaunch Carbonio.
- Your certificate should now be ready to use: Run the following command to validate the certificate details:
Installation of a Wildcard Certificate
To demonstrate this technique, we utilise the same server with the FQDN mail.example.com, but there is already a wildcard SSL certificate for domain *.example.com that was produced on a server different than Carbonio’s.
As a result, you have all of the required credentials, and the method is simpler in this situation.
Step 1: Create certificates
Save the current PEM certificate and private key as /opt/zextras/ssl/carbonio/commercial/commercial.crt and /opt/zextras/ssl/carbonio/commercial/commercial.key, respectively.
Now, navigate to /opt/zextras/ssl/carbonio/commercial/ and combine the two certificates into one:
Step 2: Validation and deployment
To ensure that the certificate and your private key match, run the following commands:
Go to the directory where the certificates are kept as the zextras user:
- check the certificates
- If the verification is successful, the SSL certificate can be deployed.
- Finally, relaunch Carbonio.
- Your certificate should now be ready to use: Run the following command to validate the certificate details: