Zextras Carbonio Community Edition (CE) : How to Install a Commercial SSL Certificate

Posted by

To ensure trusted access to the Zextras Carbonio Community Edition server from various applications such as browsers, mobile apps, and more, we must install an SSL certificate.

The step-by-step consists of

– Generate CSR according to the type (single, multi or wildcard)
– Give CSR to SSL Provider
– Get the SSL Certificate file from the SSL provider
– Install SSL Certificate on Zextras Carbonio Community Edition server

# Generate CSR

Generate CSR using CLI

– Generate CSR for SSL Single Domain

su - zextras
/opt/zextras/bin/zmcertmgr createcsr comm -new -subject "/CN=mail.imanudin.web.id/C=ID/ST=Jawa Barat/L=Bekasi/O=Imanudin Inc/OU=IT"

The CSR generate command above is for Single Domain SSL with the name mail.imanudin.web.id

– Generate CSR for SSL Multi Domain (UCC)

su - zextras
/opt/zextras/bin/zmcertmgr createcsr comm -new -subject "/CN=mail.imanudin.web.id/C=ID/ST=Jawa Barat/L=Bekasi/O=Imanudin Inc/OU=IT" -subjectAltNames mail.imanudin.com,mail.imanudin.net

The CSR generate command above is for SSL Multi Domain (UCC) with 3 different name. i.e mail.imanudin.web.id, mail.imanudin.com, and mail.imanudin.net

– Generate CSR for SSL Wildcard Domain

su - zextras
/opt/zextras/bin/zmcertmgr createcsr comm -new -subject "/CN=*.imanudin.web.id/C=ID/ST=Jawa Barat/L=Bekasi/O=Imanudin Inc/OU=IT"

The CSR generate command above is for SSL Wildcard Domain with name *.imanudin.web.id

The generated CSR from the above command is in the file /opt/zextras/ssl/carbonio/commercial/commercial.csr

zextras@mail:~$ cat /opt/zextras/ssl/carbonio/commercial/commercial.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDBTCCAe0CAQAwdjEdMBsGA1UEAwwUbWFpbC5pbWFudWRpbi53ZWIuaWQxCzAJ
BgNVBAYTAklEMRMwEQYDVQQIDApKYXdhIEJhcmF0MQ8wDQYDVQQHDAZCZWthc2kx
FTATBgNVBAoMDEltYW51ZGluIEluYzELMAkGA1UECwwCSVQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDsjiHrHau7LZkMIlMBI93v7imwzfE0xEy8iXPE
//8x+ogBmFC1Sc/LDVlbuVnVn45UvyeB5En6oYjqo1GhqzGeme61BsGVrS+vIPf0
yir2mSZD8ZXO2pbleFRYLBS6VT1WmgJPByXigU5ScbghcUXb4T689UEhU4fXs0rW
xCPVPBTjM5LlyytMgB3ERJ3sdsrQoMVb4PtdRQ2sw84AxUYtFxe/SjfyS7oE6kTB
8UAMIvI96CVrJtuqqTVw86JKaz850T4mzNpG512J8e8lliaS29yfh2qBTjUQrfSj
1BDycIlB4KsG4kmub9cJI5DkUijjYtQFqLKdxR+t44ZRsjg1AgMBAAGgSjBIBgkq
hkiG9w0BCQ4xOzA5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB8GA1UdEQQYMBaC
FG1haWwuaW1hbnVkaW4ud2ViLmlkMA0GCSqGSIb3DQEBCwUAA4IBAQCvsWmYj1mu
W23w/QCH33RctxWr7jrF53uDdBklrzVr/hdeHmW+3Pb8HmAVfMf3hMEFgQKWmxSP
XriVtBrPEdljybyO6WXeo/dtgQOiBinxK53kMGGhKFHAvVZrb+Qc0Pa4V7oUfmKX
slhLhKW6VbotwoMZpfKNECBJwgyB/jEbtUFbb3uWRFeOV1P+FeZplNU7yAec0rSF
78tNgIChQwF2SOW0ggs8WAmp3jXzml+Hnn9yQEste3jNDd/YRCJPDz4oBFmTp2Et
Qfqx+aQp3RTcOia8jAjWkHV4uQ7ZqtkQD/XnItuIjrLO97Jo+v60Yzw2w1vq6LST
8EBExalrI/rB
-----END CERTIFICATE REQUEST-----

Give that file to the SSL provider

# Install Commercial SSL Certificate

You will receive below files from SSL provider

ca_bundle_sectigo.crt
Intermediate_CA_sectigo.crt
Root_CA_sectigo.crt
mail_imanudin_web_id.crt

Save/upload the file above to the /tmp/ folder on the Zextras Carbonio Community Edition (CE) server

Change the owner

cd /tmp/
chown zextras.zextras *.crt

Verify commercial key with SSL certificate

zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/mail_imanudin_web_id.crt /tmp/ca_bundle_sectigo.crt 

If match, you can continue installing the SSL certificate

zmcertmgr deploycrt comm /tmp/mail_imanudin_web_id.crt /tmp/ca_bundle_sectigo.crt

View SSL certificate that has been installed

zmcertmgr viewdeployedcrt
zextras@mail:~$ zmcertmgr viewdeployedcrt
- ldap: /opt/zextras/conf/slapd.crt
notBefore=May 28 00:00:00 2023 GMT
notAfter=May 28 23:59:59 2024 GMT
subject=CN = mail.imanudin.web.id
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
SubjectAltName=mail.imanudin.web.id, www.mail.imanudin.web.id
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
notBefore=May 28 00:00:00 2023 GMT
notAfter=May 28 23:59:59 2024 GMT
subject=CN = mail.imanudin.web.id
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
SubjectAltName=mail.imanudin.web.id, www.mail.imanudin.web.id
- mta: /opt/zextras/conf/smtpd.crt
notBefore=May 28 00:00:00 2023 GMT
notAfter=May 28 23:59:59 2024 GMT
subject=CN = mail.imanudin.web.id
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
SubjectAltName=mail.imanudin.web.id, www.mail.imanudin.web.id
- proxy: /opt/zextras/conf/nginx.crt
notBefore=May 28 00:00:00 2023 GMT
notAfter=May 28 23:59:59 2024 GMT
subject=CN = mail.imanudin.web.id
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
SubjectAltName=mail.imanudin.web.id, www.mail.imanudin.web.id

Restart Zextras Carbonio CE

zmcontrol restart

Open Zextras Carbonio Community Edition (CE) server via browser according to the name on the SSL used: https://mail.imanudin.web.id

Good Luck 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.