Monday, May 28, 2012

creat new cert in zimbra 6

As root:
mkdir -p /root/backup/ssl/zimbra
mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra
cd /opt/zimbra/bin/
zmcertmgr createca -new
zmcertmgr createcrt -new -days 365
zmcertmgr deploycrt self
zmcertmgr deployca
zmcertmgr viewdeployedcrt

I really hope this works for you.

*********************************

ZCS Certificate CLI

The ZCS Certificate CLI commands for 7.0.x, 6.0.x and 5.0.x differ from 4.5.x. The following sections discuss the CLI tools for each version.

ZCS 7.0.x, 6.0.x, and 5.0.x

zmcertmgr

This command allows you to manage certificates.

General Guidelines

Follow these guidelines when using this command.
  • This tool must be run as root
Commercial Certificate Guidelines
Follow these guidelines when using this command to generate a commercial certificate.
  • The private key must exist in the /opt/zimbra/ssl/zimbra/commercial directory, and must be named commercial.key with its permission set to 740
  • The server certificate and the chain certificate files must exist in a temp directory. (E.g. /root/certs/)
  • The chain certificate files must be concatenated into one file called commercial_ca.crt

Syntax

zmcertmgr [options]

Description


Name Description
General Options
-help Displays usage options for zmcertmgr
Self-Signed Certificate Options
createca [-new] Generates a Certificate Authority (CA). The -new option forces the generation of a new CA.
deployca Deploys a CA.
createcsr <self|comm> [-new] [-subject subject] [-subjectAltNames "host1,host2"] Creates a certificate signing request (CSR) for either a self or commercially signed certificate authority. The -new option forces the generation of a new CSR. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames option allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
createcrt [-new] [-days validation days] [-subject subject] [-subjectAltNames "host1,host2"] Creates a self-signed certificate based on the CSR generated using createcsr. The -new option forces the generation of a new certificate. The -days option assigns a number of days for which the certificate is valid. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
deploycrt <self> Deploys a self-signed certificate.
Self-Signed and Commercial Certificate Options
deploycrt <comm> [certfile] [ca_chain_file] Deploys a commercial certificate. Specify the certificate file and the certificate authority (CA) chain file.
savecrt Saves a certificate
viewcsr <self|comm> [csr_file] Shows a certificate signing request (CSR). Specify self if the CSR is self-signed. Specify comm if the certificate is commercial. Specify the CSR file to view.
viewdeployedcrt [all|ldap|mta|proxy|mailboxd] Shows a deployed certificate. This option only works for the local server.
viewstagedcrt <self|comm> [certfile] Shows a staged certificate. A staged certificate is placed in a staging file, where all files that will be deployed with the certificate are kept. You can use the staging area to verify that you are ready to deploy a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate file to view.
verifycrt <self|comm> [priv_key] [certfile] Verifies a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.
verifycrtchain <ca_file> <certfile> Verifies a certificate chain. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.

Examples

The following are examples of using the above options for different installation scenarios.
Single-Node Self-Signed Certificate
1. Begin by generating a new Certificate Authority (CA).
 /opt/zimbra/bin/zmcertmgr createca -new
2. Then generate a certificate signed by the CA that expires in 365 days.
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
3. Next deploy the certificate.
 /opt/zimbra/bin/zmcertmgr deploycrt self
4. Next deploy the CA.
 /opt/zimbra/bin/zmcertmgr deployca
5. To finish, verify the certificate was deployed to all the services.
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Multi-Node Self-Signed Certificate
1. Begin by generating a new Certificate Authority (CA).
 /opt/zimbra/bin/zmcertmgr createca -new
2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"
3. Next, deploy the certificate to all nodes in the deployment.
 /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
4. To finish, verify the certificate was deployed.
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Note: The option viewdeployedcrt only works for the local server.
Single-Node Commercial Certificate
1. Begin by generating a Certificate Signing Request (CSR).
 /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" -subjectAltNames host.example.com
2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt).
3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)
4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
5. Combine root and intermediary CAs into a temporary file.
 cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
 /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
 **Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmp/commercial.crt: OK
7. Deploy your commercial certificate.
 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
 ** Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmpt/commercial.crt: OK
 **Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Appending ca chain /tmp/ca_chain.crt to
 /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Saving server config key zimbraSSLCeretificate…done.
 **Saving server config key zimbraSSLPrivateKey…done.
 **Installing mta certificate and key…done.
 **Installing slapd certificate and key…done.
 **Installing proxy certificate and key…done.
 **Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
 **Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
 **Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt

Wednesday, May 23, 2012

Cisco PPTP VPN server

On the Cisco IOS router

First you must make some changes on your router. First, you must enable VPDN (virtual private dial-up networking). This is used for VPN client connectivity, as opposed to site-to-site, always up, VPN connectivity. To do so use this command:
Router(config)# vpdn enable
Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:
Router(config)# vpdn-group TEST-VPN
Router(config-vpdn)# accept-dialin
Router(config-vpdn)# protocol pptp
Router(config-vpdn)# virtual-template 1
Router(config-vpdn)# exit
Here, we will configure our interfaces to match the diagram. Naturally, your IP address configuration will vary:
Router(config)# interface ethernet0/0
Router(config-if)# ip address 10.253.15.19 255.255.0.0
Router(config-if)# no shutdown
Router(config)# interface ethernet0/1
Router(config-if)# ip address 10.123.123.123 255.255.255.0
Router(config-if)# no shutdown
Next, create your virtual-template that will apply to the inbound VPN connections. This template references the e0/1 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered Ethernet0/1
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:
Router(config)# ip local pool defaultpool 10.123.123.1 10.123.123.10
After that, create a test user:
Router(config)# username test password 0 test
Finally, configure authentication for PPP to use the local database. If you had a RADIUS server, this where you would point to the RADIUS server instead of the local database:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default local
The complete configuration looks like this:
username test password 0 test
aaa new-model
!
!
aaa authentication ppp default local
!
vpdn enable
!
vpdn-group TEST-VPN
! Default PPTP VPDN group
accept-dialin

protocol pptp

virtual-template 1

!
interface Ethernet0/0
ip address 10.253.15.19 255.255.0.0
no shutdown
interface Ethernet0/1
ip address 10.123.123.123 255.255.255.0

no shutdown

!
interface Virtual-Template1
ip unnumbered Ethernet0/1

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!
ip local pool defaultpool 10.123.123.1 10.123.123.10

*********************************


vpdn enable
!
vpdn-group PPTP-Group
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
async-bootp gateway 10.123.3.1
async-bootp dns-server 206.13.28.12
   
interface Virtual-Template1
 ip address 10.123.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool PPTP
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
   
ip local pool PPTP 10.123.3.100 10.123.3.200