Installing a Gandi Commercial Certificate on ZCS

From Zimbra :: Wiki

Jump to: navigation, search
   Icon-Archive.png  - This is archive documentation, which means it is not supported or valid for recent versions of Zimbra Collaboration.

   Article-alert.png  - This article is a community contribution and may include unsupported customizations for network edition customers.

Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 7.0 Article  ZCS 7.0
  ZCS 6.0 Article  ZCS 6.0

Everything as root ...

  • First copy all your gandi certificates, for instance in /tmp/gandi

Gandi is not a top level Certifying Authority, so we need some extra certificates

       aptitude install ca-certificates

  • Create a bundle with user trust CA file and the Gandi CA file
       cd /tmp/gandi
       cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem

  • Backup the SSL commercial directory, then erase it
       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm  *

  • Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
        #commercial.csr ( the certificate signing request that you sent to gandi ) 
        cp /tmp/gandi/ commercial.csr
        # commercial.key ( your private key )
        cp /tmp/gandi/ commercial.key
        # commercial_ca.crt( bundle created above ) 
        cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
        # Verify our Gandi Certificate against the private key
        /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/ 
        ** Verifying /tmp/gandi/ against commercial.key
        Certificate (/tmp/gandi/ and private key (commercial.key) match.
        Valid Certificate: /tmp/gandi/ OK
        # Verify our Gandi Certificate against the Certificate Authority Chain
        /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/ 
        Valid Certificate Chain: /tmp/gandi/ OK
        # Deploy our Gandi Certificate
        /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/ commercial_ca.crt 
        ** Verifying /tmp/gandi/ against /opt/zimbra/ssl/zimbra/commercial/commercial.key
        Certificate (/tmp/gandi/ and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
        Valid Certificate: /tmp/gandi/ OK
        ** Copying /tmp/gandi/ to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
        ** Saving server config key zimbraSSLCertificate...failed.
        ** Saving server config key zimbraSSLPrivateKey...failed.
        ** Installing mta certificate and key...done.
        ** Installing slapd certificate and key...done.
        ** Installing proxy certificate and key...done.
        ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
        ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
        ** Installing CA to /opt/zimbra/conf/ca...done.
  • Restart the zimbra and have a look at the log:
        /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log

cause: PKIX path building failed: unable to find valid certification path to requested target Install Gandi SSL CA in the java keystore ( according to Thanks Yvon ! )

        /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
  • Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page.

Verified Against: unknown Date Created: 2/1/2010
Article ID: Date Modified: 03/30/2015
Personal tools