Installing a GoDaddy Commercial Certificate

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 5.0 Article  ZCS 5.0
  ZCS 4.5 Article  ZCS 4.5

This article covers importing and installing a GoDaddy commercial certificate on a ZCS 5.0.x server and on a 4.5.x server.

Contents

5.0.x+

Installation Prequisites

This article is written for installations that meet the following prerequisites.

  • This is a new certificate.
  • You generated the CSR via the Administration Console.
  • You sent the CSR to get it signed
  • Download the following files from https://certs.godaddy.com/Repository.go
  • The /opt/zimbra/ssl/zimbra/commercial has two files:
    • commercial.key
    • commercial.csr

If your certificate does not meet the above prerequisites, the following installation instructions may not work.

Also, if you have generated the csr using openssl utility or instructions provided by the godaddy, you will need to manually copy the files to /opt/zimbra/ssl/zimbra/commercial path with proper naming like commercial.key for the key, commercial.crt for the cert, commercial.csr for the csr, and commercial_ca.crt for the root certificate

Installation

You can install the certificate by logging in to the Administration Console and uploading the following files.

  • Signed Certificate - <server_name>.crt
  • RootCA - gd-class2-root.crt
  • Intermediate - gd-bundle.crt

Once you have uploaded these files, restart Zimbra services.

Command line Instructions

If you are failing to install the certificate from admin console, use these steps to install it from command line.

 1) mkdir /root/certs and place the cert files in there
 2) cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /root/certs/commercial_ca.crt
    or rename gd_bundle.crt (given by GoDaddy when downloading certificate) to commercial_ca.crt.
 3) verify the certificate
     cd /root/certs
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./<server_name>.crt ./commercial_ca.crt
 4) deploy the cert
    cd /root/certs
    /opt/zimbra/bin/zmcertmgr deploycrt comm ./<server_name>.crt ./commercial_ca.crt
 5) restart the zimbra services
  su - zimbra
  zmcontrol stop
  zmcontrol start

4.5.x

(You will be prompted for passwords. Use zimbra for all passwords)

1. Create keystore:

su - zimbra

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

2. Create CSR (you are creating the commercial.csr file):

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Note: when it asks you for your first and last name use the common name of your server. For example, if you will ultimately use zimbra.company.com as the URL then that is your common name.

3. Open the contents of the commercial.csr file and copy and paste into GoDaddy's CSR submission form.

4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.

5. Import intermediate and root certs from GoDaddy. The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go

To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt

Note: As of 4/2/2007 - Using RHEL 4 with all updates the Root cert was not needed.

Update: 4/2/2007 - Go to this page: https://certificates.godaddy.com/Repository.go Download the gd_cross_intermediate.crt. You should have received gd_intermediate.crt as part of the zip file from GoDaddy. You will need the cross and the intermediate certificates in order to create the "chain".

To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt

To import the cross cert: keytool -import -alias cross -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_cross_intermediate.crt

6. Import digital cert into keystore:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra

7. Copy the keystore to zimbra Tomcat keystore:

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

8. Tomcat restart

9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.

10. To use your certificate for other services, follow the instructions above under "You can use the same CRT for other services".


Verified Against: ZCS 5.0.x Date Created: 9/17/2008
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_GoDaddy_Commercial_Certificate Date Modified: 04/4/2012
Personal tools