4.5.x to 5.0.x Certificate Upgrade Issues
If you are upgrading from 4.5x to 5.0.x and the cert failed to upgrade successfully, you need to re-install the cert.
Prerequisites
You will need these pieces:
- The private key. This can be extracted from the Tomcat keystore. Zimbra Support can help with this process if you send the Tomcat keystore.
- The server certificate
- The chain cert files
Installation
With these pieces in hand, we can use the zmcertmgr to install the certificate.
1. Verify that the cert and the key match using this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
2. From the temp directory, deploy the cert and restart the zimbra services.
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt (b) zmcontrol stop ; zmcontrol start
3. Check to make sure that only the jetty alias exists in the keystore.
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
4. Delete the tomcat alias, if exists, with the following command.
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`