Installing a GeoTrust Commercial Certificate

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 5.0 Article  ZCS 5.0
  ZCS 4.5 Article  ZCS 4.5


Contents

Installing a GeoTrust Commercial Certificate on ZCS 6.0.x using the Cross Root certificate

In July 2010, GeoTrust issues a new root certificate. Many mobile devices and mail clients do not yet support the new Geotrust root. In those cases you should be able to use these instructions on Zimbra 6.x to allow the non-trusting devices to trust your newly issued server certificate.

  • As Root:

1). move all the files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm -rf *

2. generate a new csr , please edit this line for your company details

       /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"

3.) get it signed

       Place SSL order and paste in the contents of commercial.csr
       Put the certificate into commercial.crt using cat or vi

4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geotrust.com/resources/root-certificates/ )

       GeoTrust issued a new root certificate in 2010.  If you need to support mobile devices and mail clients that don't yet have the new Geotrust root,
       you will need the Geotrust Cross Root certificate located here...
       https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426
       Grab the original Equifax root certificate from here...        
       wget http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
        
       Please note that as of July 22, 2010, GeoTrust switched to 2048 bit certs and requires the use of an intermediate CA.  The link to your intermediate
       CA should have been included in the email from GeoTrust with your new server certificate.
       
       Use cat or vi to put the intermediate, cross root, and root certs together in the commercial_ca.crt file.  The order they appear is important.  Intermediate
       should be on top, cross root in the middle, and Equifax root on the bottom.  Be sure no extra line breaks or spaces exist in the file.
       [ Intermediate ]
       [ Cross Root ]
       [ Equifax Root ]

5. verify that the cert and key match

       /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.

6. deploy the cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
should return
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/YOUR.SERVER.NAME.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.


(Proxy Install) 7. If you run Zimbra Proxy in front of all your mailbox servers, you only need the certificate created for and installed on that one server. Restart the proxy (for IMAP/POP/HTTP).

       su - zimbra
       zmproxyctl restart


(Mailbox Install) 8. If you are installing a commercial certificate on each mailbox, restart mailboxd and the proxy (for IMAP/POP)

       su - zimbra
       zmmailboxdctl restart
       su - zimbra
       zmproxyctl restart

9. Verify your certificate looks correct externally.

       http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=SERVER.DOMAIN.NAME&protocol=https
  • It's also very handy to have a copy of the comments for zmcertmgr around in a side window.

Installing a GeoTrust Commercial Certificate on ZCS 5.0.x

  • As Root:

1). move all the files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm -rf *

2. generate a new csr , please edit this line for your company details

       /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"

3.) get it signed

       Place SSL order and paste in the contents of commercial.csr
       Put the certificate into commercial.crt using cat or vi

4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )

       wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
        
       Please note that as of July 22, 2010, GeoTrust uses an intermediate CA.
       GeoTrust KB article
       You will need to download the two files below and splice them together:
       wget https://knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/QuickSSL_CA_Bundle.pem
       wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer
       cat QuickSSL_CA_Bundle.pem GeoTrust_Global_CA.cer >> commercial_ca.crt

5. verify that the cert and key match

       /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

6. deploy the cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt

QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?

7. restart the webserver

       su - zimbra
       zmmailboxdctl restart

8. restart the proxy (for IMAP/POP)

       su - zimbra
       zmproxyctl restart
  • It's also very handy to have a copy of the comments for zmcertmgr around in a side window.


Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x

  • Commands are run as root or sudo user:

1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.backup.tar.gz *

2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below

       mkdir /tmp/renewalcert
       cd /tmp/renewalcert
       cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert
       wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
       vi /tmp/renewalcert/tmp.crt   [paste your new cert here]
       openssl x509 -in tmp.crt -out new.crt -text
       cat new.crt commercial_ca.crt > commercial.crt

3. Verify that cert, key and CA file match

       /opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key
Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match.
Valid Certificate: /tmp/renewalcert/commercial.crt: OK


4. Deploy the renewal cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return

** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/renewalcert/commercial.crt: OK
** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.


5. Restart zimbra

       su - zimbra
       zmcontrol stop; zmcontrol start;

Installing a GeoTrust Commercial Certificate on ZCS 4.5.x

These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.

1. ***Backup Your Keystore***

    sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak

2. su zimbra

3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)

#!/bin/bash
source /opt/zimbra/bin/zmshutil || exit 1
zmsetvars

CONF=/opt/zimbra/conf
TCONF=/opt/zimbra/tomcat/conf
B=/opt/zimbra/ssl
BASE=${B}/ssl

JAVA_HOME=${zimbra_java_home}
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then
        CACERTS=${JAVA_HOME}/lib/security/cacerts
else
        CACERTS=${JAVA_HOME}/jre/lib/security/cacerts
fi


TOMCAT=/opt/zimbra/tomcat/conf

rm -rf ${BASE}/newCA
mkdir -p ${BASE}/ca
mkdir -p ${BASE}/newCA/newcerts
touch ${BASE}/newCA/index.txt
mkdir -p ${BASE}/cert
mkdir -p ${BASE}/server

mkdir -p ${TCONF}

hostname=***Set this to your full domain name mail.domain.com***

if [ "x$1" != "x" ]; then
        hostname=$1
        shift;
fi

createConf() {
        ALTNAMES=""
        for alt in $*; do
                if [ "x$ALTNAMES" = "x" ]; then
                        ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"
                else
                        ALTNAMES="${ALTNAMES},DNS:${alt}"
                fi
        done
        cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \
                -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf
}


createKeyStore() {

        echo "** Creating keystore"
        echo

        rm -f ${TCONF}/keystore

        keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \
                -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \
                -storetype JKS -storepass zimbra -keypass zimbra

}

createCertReq() {

        echo "** Creating server cert request"
        echo

        openssl req -new -nodes -out ${BASE}/server/server.csr \
                -keyout ${BASE}/server/server.key -newkey rsa:1024 \
                -config ${BASE}/zmssl.cnf -batch

        keytool -certreq -keyalg RSA -alias tomcat -file \
                ${BASE}/server/tomcat.csr -keystore \
                ${TCONF}/keystore -storepass zimbra

        cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$
        cat /tmp/tomcat.csr.$$ | sed -e \
                's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \
                > ${BASE}/server/tomcat.csr

}

signCertReq() { 
        echo "** Signing cert request"
        echo

        openssl ca -out ${BASE}/server/server.crt -notext \
                -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \
                -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch

        cp ${BASE}/server/server.crt ${CONF}/slapd.crt
        cp ${BASE}/server/server.key ${CONF}/slapd.key
        cp ${BASE}/server/server.crt ${CONF}/perdition.pem
        cp ${BASE}/server/server.key ${CONF}/perdition.key
        mkdir -p ${CONF}/ca
        cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key
        cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem
}

createConf $@

createKeyStore

createCertReq

signCertReq

chmod -R 700 ${B}

4. Run this newly created script

Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.

5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem

6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt

This will convert the certificate into binary DER format which keytool likes.

You will also need to download the root ca from Geotrust this can be found at

    www.geotrust.com/resources/root_certificates/index.asp
         - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format
         - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format

7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt

8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)

9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra

11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)

12. If all went as planned you should now be able to access https://your.mailsite.com

13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.

14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.

         - su zimbra
         - /opt/zimbra/bin/zmcreateca
         - /opt/zimbra/bin/zmcreatecert
         - /opt/zimbra/bin/zmcertinstall

15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)

      /opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
  • Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.


Verified Against: ZCS 4.5.x & ZCS 5.0.x Date Created: 9/19/2008
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_GeoTrust_Commercial_Certificate Date Modified: 12/14/2010
Personal tools