Các file commercial_ca.crt commercial.crt commercial.key là gì năm 2024

Sau khi khách hàng đặt mua dịch vụ SSL tại 123HOST, kỹ thuật sẽ tiến hành kích hoạt dịch vụ SSL cho Khách hàng lúc này Khách hàng sẽ nhận được 3 file để tiến hành cài đặt SSL lên hosting. 3 file lần lượt là:

Nội dung chính Show

Checking the content of the CSR - SSL Certificate
Buying the Commercial SSL Certificate
Installing the Commercial SSL Certificate
Creating the commercial.crt
Creating the commercial_ca.crt
Checking if every file is OK
Launching the last command
Single-Node Multi-SAN Commercial Certificate
Generating the MultiSAN.csr file
Checking the content of the SSL Certificate
Buying the Commercial SSL Certificate
Installing the Commercial SSL Certificate
Creating the commercial_ca.crt
Checking if every file is OK
Launching the last command
Forcing the Server to use only HTTPS
Forcing the Server to use only HTTPS

PRIVATE KEY – CERTIFICATE – CA

+ File PRIVATE KEY: Khách hàng có được lúc tạo CSR (tạo CSR tại link: http://csrgen.123host.vn/).

+ File CERTIFICATE và CA: 2 file này Khách hàng có thể truy cập vào trang quản lý dịch vụ: client.123host.vn

+ Tải 2 file Cert và CA Bundle về:

+ Vậy lúc này Khách hàng sẽ có 3 file cần thiết để cài đặt SSL lên hosting.

Bước 2: Upload Certificate lên máy chủ Zimbra

+ Upload các file Private key, Certificate và CA certificate lên server và đặt trong thư mục /opt/zimbra/ssl/zimbra/commercial.

Lưu ý: Bạn nên backup thư mục /opt/zimbra/ssl/zimbra/commercial trước khi thực hiện đề phòng trục trặc có thể chuyển lại như cũ.

+ Lần lượt đổi tên 3 file trên thành commercial.key, commercial.crt, commercial_ca.crt.

+ Như vậy lúc này trong thư mục /opt/zimbra/ssl/zimbra/commercial sẽ có các file sau đây: commercial.key, commercial.crt, commercial_ca.crt.

Using the tool zmcertmgr, the Zimbra system will create the CSR, and also automatically doing a Backup of the existing Cert, great.

zimbra@help:# /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com" Generating a server csr for download comm -new -subject /C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com Creating /opt/zimbra/conf/zmssl.cnf...done Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141006233154 Creating /opt/zimbra/conf/zmssl.cnf...done Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done. Saving server config key zimbraSSLPrivateKey...done. root@help:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr subject=/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com SubjectAltName= zimbra@help:#

We will need this two files located in this location: /opt/zimbra/ssl/zimbra/commercial/:

commercial.csr: This is the file that we need to provide to the CA Authority
commercial.key: The Private Key that we need to save, or do a Backup if we want to install the CRT in other Server, or restore it in case of any fail.

Checking the content of the CSR - SSL Certificate

Now we can check trough CLI if everything in the SSL is allright with the next command:

zimbra@help:/tmp# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr subject=/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com SubjectAltName=

Another good method to check if everything is allright is using external websites, the only thing that we need to do is paste our CSR content, we can view it doing a more command:

zimbra@help:/tmp# more /opt/zimbra/ssl/zimbra/commercial/commercial.csr

We recommend one of this three:

[1]Comodo DecodeCSR
[2] Symantec CSR Check
[3] SSLShoper CSR Decoder

Using these web pages is quite easy, we just copy the CSR content and paste into this pages, take a look of this example in Symantec Website:

Buying the Commercial SSL Certificate

The next step is buy a valid commercial SSL certificate. Have tons of webpages around the World that you can use. This Companies will ask us about the CSR and our Business Information. And once the verification has a success they will send to us a file with the SSL Certificate (usually is a file with .crt extension)

Installing the Commercial SSL Certificate

When we have everything from our SSL Certificate authority, is time to put it in the correct folder.

Creating the commercial.crt

This file is easy to create, we only need to create that and paste inside the content of the file that the Certificate authority gave it to us:

zimbra@help:/tmp# vi commercial.crt

Creating the commercial_ca.crt

The file called commercial_ca.crt needs to be created with the correct information, we need to mix the Root Certificate and also The Intermediate Certificate, the order matters, so the file need to include CA INTERMEDIATE or INTERMEDIATES, CA ROOT one in the end of other with only one Backspace:

zimbra@help:/tmp# vi commercial_ca.crt

For example, this is how looks the file commercial_ca.crt with date September 2014 with a Geotrust QuickSSL Premium Certificate:

-BEGIN CERTIFICATE- MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8 KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE 60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1 SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB 2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/ ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM IIi0tWeUz12OYjf+xLQ= -END CERTIFICATE- -BEGIN CERTIFICATE- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -END CERTIFICATE- -BEGIN CERTIFICATE- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -END CERTIFICATE-

Checking if every file is OK

Also with all of these steps, we could do something wrong, we could check if everything is alright before deploy the SSL Certificate, for test all files we will execute the next:

zimbra@help:/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

If everything is allright, the result of the command will be:

Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK

Launching the last command

If we don't have any issue in the previous step, is time to launch the last two command here:

zimbra@help:/tmp# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

The Logfile will be like this:

Single-Node Multi-SAN Commercial Certificate

Have a Multi-SAN certificate simplify the task of secure the Zimbra Infrastructure with only one Certificate, so we will have only one CSR to renew each year, etc. Also the Multi-SAN SSL Certificates permit us add more ALT names if we need it and modify as well, we only need to generate the CSR with the changes and send it to the CA Authority.

Generating the MultiSAN.csr file

We will create a file that we can update per each domain that we will need to use in the future. Also we can update it for remove, or modify domains inside it.

We will start moving us to the correct folder inside our Server for generate the files that we will need:

Then is time to create the CSR file, in this file we need to change the name of our Private Key, our Common Name and also the alternative domains that we want to protect with our SSL.

Checking the content of the SSL Certificate

Now we can check trough CLI if everything in the SSL is allright with the next command:

We will check the CSR that we've generated, just copy the result of this command:

Inside any of this CSR Decoder's Web:

[4]Comodo DecodeCSR
[5] Symantec CSR Check
[6] SSLShoper CSR Decoder