Installing a RapidSSL Commercial Certificate
From Zimbra :: Wiki
|This article applies to the following ZCS versions.|
Istalling a RapidSSL Commercial SSL Certificate
Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool.
1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt
2. Copy private key including the -----BEGIN to END----- to /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).
If you have a certificate generated before december 9th 2010:
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt
If you have a certificate generated after december 9th 2010:
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt
If you have a SHA2-256 certificate
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt
4. Deploy the commercial certificate with zmcertmgr as the root user.
# cd /opt/zimbra/bin # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt
Note: The solution above works for Zimbra 5/6
After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:
# /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem
|Verified Against: unknown||Date Created: 11/19/2009|
|Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate||Date Modified: 10/30/2014|