Installing a IPSCA Commercial Certificate

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 5.0 Article  ZCS 5.0

Contents

Summary

Documentation on how to install a commercial SSL Certificate provided by IPSCA using zmcertmgr. I created this documentation after upgrading to Zimbra 6.0 and having Zimbra fail to start due to the commercial SSL Certificate.

IPSCA offers free wildcard SSL certificates for Educational Institutions which is why we chose them. Their certificates appear to work in everything with out complaining except Opera.

This documentation assumes you've already generated your private key, certificate request and gotten it signed by IPSCA for your domain. I created these instructions using Zimbra 6.0 and CentOS 5.3 32-bit. Chances are this will work on Zimbra 5.0 and other operating systems.


Installing a IPSCA SSL Certificate using zmcertmgr

1. Download a copy of the IPSCA Intermedia Certificate and Root Certificate from here. Thankfully IPSCA bundles them together for you saving you some time. If you really want them in separate files go here

 wget http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT

2. Put your .key and .crt files on your server. For this example I'm going to use 'example.ca.key' and 'example.ca.crt' and assume they are stored in '/tmp'

3. I decrypted my SSL private key (example.ca.key). I'm not 100% sure if you have to do this but I find it easier to deal with because you don't have to keep entering the private keys passphrase.

 openssl rsa -in /tmp/example.ca.key -out /tmp/example.ca.key.unenc

Enter your passphrase for the private key when prompted

4. Make sure you're root and copy your unencrypted private key into Zimbra SSL directory

 cp /tmp/example.ca.key.unenc /opt/zimbra/ssl/zimbra/commercial/commercial.key

5. Still as root you'll now import your commercial certificate (example.ca.crt) and the IPSCA CA and Intermediate certificate bundle (IPS-IPSCABUNDLE.CRT). Make sure Zimbra is running before you run this command.

 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/example.ca.crt /tmp/IPS-IPSCABUNDLE.CRT

6. As the Zimbra user stop and restart Zimbra

 zmcontrol stop
 zmcontrol start


Updating the expired IPSCA Root CA

This assumes you've previously installed a SSL Certificate signed by IPSCA. If this is the case you've more then likely found out by now that IPSCA's Root CA has expired and they've re-issued everyone's SSL Certificates signed with their new Root CA. More details here.

The following was performed on CentOS 5.4 32-bit and Zimbra 6.0.4.

1. Download a fresh copy of the IPSCA Certificate Bundle

 wget http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT

2. Upload your new SSL Certificate (.crt) to your Zimbra server in the "/tmp/" directory. IPSCA should have e-mailed this to you already. They send it as a .txt file.

3. Issue the following commands to install the new certificates (as root)

 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/example.ca.crt /tmp/IPS-IPSCABUNDLE.crt

4. Restart Zimbra (as zimbra)

 zmcontrol stop
 zmcontrol start

You're still going to have to deal with the remaining issue that the new IPSCA Root CA is only in a fully updated Internet Explorer 8. Anyone using Firefox, Opera, Safari or other browser is still going to get a certificate error.


Troubleshooting

When I run 'zmcertmgr' to import my certificate I see the following messages during the import:

 ** Saving server config key zimbraSSLCertificate...failed.
 ** Saving server config key zimbraSSLPrivateKey...failed.

This means Zimbra isn't running. Start Zimbra and then re-run the command.


Verified Against: Zimbra 6.0 and CentOS 5.3 32-bit Date Created: 9/12/2009
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_IPSCA_Commercial_Certificate Date Modified: 04/14/2010
Personal tools