Installing a Gandi Commercial Certificate on ZCS

 - This is archive documentation, which means it is not supported or valid for recent versions of Zimbra Collaboration.
 - This article is a Community contribution and may include unsupported customizations.
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0

Everything as root ...

  • First copy all your gandi certificates, for instance in /tmp/gandi

Gandi is not a top level Certifying Authority, so we need some extra certificates

       aptitude install ca-certificates


  • Create a bundle with user trust CA file and the Gandi CA file
       cd /tmp/gandi
       cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem


  • Backup the SSL commercial directory, then erase it
       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm  *


  • Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
        #commercial.csr ( the certificate signing request that you sent to gandi ) 
        cp /tmp/gandi/star-gandi.mydomain.com.csr commercial.csr
        # commercial.key ( your private key )
        cp /tmp/gandi/star-gandi.mydomain.com.key commercial.key
        # commercial_ca.crt( bundle created above ) 
        cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
        # Verify our Gandi Certificate against the private key
        /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.mydomain.com.crt 
        ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against commercial.key
        Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (commercial.key) match.
        Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        # Verify our Gandi Certificate against the Certificate Authority Chain
        /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.mydomain.com.crt 
        Valid Certificate Chain: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        # Deploy our Gandi Certificate
        /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.mydomain.com.crt commercial_ca.crt 
        ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
        Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
        Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        ** Copying /tmp/gandi/star-gandi.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
        ** Saving server config key zimbraSSLCertificate...failed.
        ** Saving server config key zimbraSSLPrivateKey...failed.
        ** Installing mta certificate and key...done.
        ** Installing slapd certificate and key...done.
        ** Installing proxy certificate and key...done.
        ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
        ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
        ** Installing CA to /opt/zimbra/conf/ca...done.
  • Restart the zimbra and have a look at the log:
        /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log
  • ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR:

cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )

        /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
  • Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page.


Verified Against: unknown Date Created: 2/1/2010
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_Gandi_Commercial_Certificate_on_ZCS Date Modified: 03/30/2015



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search