Installing a RapidSSL Commercial Certificate

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 5.0 Article  ZCS 5.0

Istalling a RapidSSL Commercial SSL Certificate

Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool.

1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt

2. Copy private key including the -----BEGIN to END----- to /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).

If you have a certificate generated before december 9th 2010:
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt

If you have a certificate generated after december 9th 2010:
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt

If you have a SHA2-256 certificate
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt

4. Deploy the commercial certificate with zmcertmgr as the root user.

 # cd /opt/zimbra/bin
 # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt

Note: The solution above works for Zimbra 5/6

Troubleshooting

After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):

ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:

 # /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem
Verified Against: unknown Date Created: 11/19/2009
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate Date Modified: 10/30/2014
Personal tools