Installing a RapidSSL Commercial Certificate

From Zimbra :: Wiki

Jump to: navigation, search
   Icon-Archive.png  - This is archive documentation, which means it is not supported or valid for recent versions of Zimbra Collaboration.


   Article-alert.png  - This article is a Work in Progress, and may be unfinished or missing sections.


Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 5.0 Article  ZCS 5.0

Istalling a RapidSSL Commercial SSL Certificate

Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool.

1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt

2. Copy private key including the -----BEGIN to END----- to /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).

If you have a certificate generated before december 9th 2010:
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt

If you have a certificate generated after december 9th 2010:
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt

If you have a SHA2-256 certificate
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt

4. Deploy the commercial certificate with zmcertmgr as the root user.

 # cd /opt/zimbra/bin
 # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt

Note: The solution above works for Zimbra 5/6

Troubleshooting

After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):

ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:

 # /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem
Verified Against: unknown Date Created: 11/19/2009
Article ID: http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate Date Modified: 04/1/2015
Personal tools