Talk:Administration Console and CLI Certificate Tools
From Zimbra :: Wiki
Typos
Typo in 'Single Node Commercial Certificate' section:
/opt/zimbra/bin/zmcertmgr deploycrt comm. /tmp/commercial.crt /tmp/ca_chain.crtShould be: (no stray period)
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
I second the above typo - Also ST-CA should be ST=CA in the same section
The typo is also present in the cert signing request.
/opt/zimbra/bin/zmcertmgr createcsr comm. -new –subject "/C=US/ST-CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" –subjectAltNames host.example.comShould be:
/opt/zimbra/bin/zmcertmgr createcsr comm -new –subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" –subjectAltNames host.example.com
I have 2 more things to add to the above typo issue in the certificate signing request example.
1. The example should include manually setting the Common Name for the certificate as it's often the case that the computer host name and the name used in the url are be different.
2. Some commercial CAs are now requiring 2048 bits requests rather than the default 1024. This should at least be mentioned if not in the example.
(You can modify zmcertmgr script about line 778. It should look like this:
echo -n "** Creating server cert request ${current_csr}..."
${openssl} req -new -nodes -out ${current_csr} -keyout ${current_key} \
-newkey rsa:2048 -config ${zimbra_cert_ssl_conf} \
-subj "${SUBJECT}" -batch > ${tmpfile} 2>&1
At step 6 in 'Single Node Commercial Certificate' you should read:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
instead of:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt
Step 7 should be read like this:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
instead of:
/opt/zimbra/bin/zmcertmgr deploycrt comm. /tmp/commercial.crt /tmp/ca_chain.crt
And step 8 should be read like this:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
instead of:
zmcertmgr viewdeployedcrt
Typos Fixed
I've updated the article to include the revisions suggested above, except the one regarding 2048 bit keys. That is now standard in the product.
Cfremon 19:50, 14 April 2010 (UTC)
Andy has
some useful commentary in one of his pages about what you might need to backup before generating a new single-server cert, so you have that nice backout path I'm always ranting about everywhere. :-) Might be useful to copy it over here... --Baylink 13:42, 25 March 2010 (UTC)
- Baylink, can you add a link? Thanks! Cfremon 20:08, 25 March 2010 (UTC)
Well, I could, but there's some question whether it has a typo, as this page has. That typo cost me an hour of U1 and a ticket today, and even though Ramadan said he was correcting this page, he hasn't. (Missing leading-/ on tbe createcsr and createcrt subject attributes.)
Worse: that error message *sometimes* incorrectly means that there needs to be an altName and their isn't, which is a real live big that needs fixed.
Cranky day; sorry. --Baylink 21:46, 13 April 2010 (UTC)
- Baylink, I've updated the above article to include revisions suggested in the comments above yours. I'm not quite clear on whether this is the same typo you're referring to, and I haven't yet had a chance to talk to Ramadan about it. I know you've already lost a lot of time to this -- but would you be willing to let me know if these revisions fix the typo you're referring to? Cfremon 19:50, 14 April 2010 (UTC)
Oh, I'll always take time for "did we fix your problem", even if the answer's "yes". :-) Yes, the typo here is now fixed. I need to go over to the appropriate AJPage and fix my companion one there. Thanks. --Baylink 15:58, 27 April 2010 (UTC)
