Difference between revisions of "4.x Commercial Certificates Guide"

(A. Create a commercial keystore)
 
(72 intermediate revisions by 23 users not shown)
Line 1: Line 1:
= Commercial SSL Certificate Procedure=
+
{{Archive}}{{Article Infobox|{{admin}}|||{{ZCS 4.5}}}}=FOR 5.x servers, please do not use this page=
 +
* use [[Commercial_Certificate_in_5.x]] instead
 +
 
 +
=General Commercial SSL Certificate Procedure (Please read and understand this first)=
 +
* Self-signed certificate directions can be found here: [[SSL_Certificate_Problems]]
 +
* Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes.
 +
* '''DO NOT USE THIS DOCUMENT FOR ZCS Versions 5.0.0_GA and ABOVE.'''  Use the Certificate wizard in the Admin Console of your installation to generate a commercial CSR.
 +
 
 
== Using a pre-existing certificate from another server ==
 
== Using a pre-existing certificate from another server ==
 +
If you already have an "apache style" PEM or DER format certificate for this server hostname, and want to re-use it, [http://www.zimbra.com/forums/showthread.php?t=4738 this forum thread] has been condensed to the [[4.x_Commercial_Certificates_Guide#PEM_Format_Commercial_SSL_Cert_Install_Procedure|PEM format certificate conversion]] section below.
 +
== Getting a certificate for MTA ==
 +
If you are installing a commcercial certificate for the MTA and or LDAP, you can simply
 +
acquire a certificate for postfix in "PEM" format and save the signed cert and the key
 +
in /opt/zimbra/conf directory and reload postfix
  
If you already have a certificate for this servername, and want to re-use it, [[http://www.zimbra.com/forums/showthread.php?t=4738 this forum thread]] may help.
+
== Generate a certificate signing request (CSR) for tomcat ==
 +
=== Create a commercial keystore ===
 +
Notes:
 +
# The file we call "commercial.keystore" in this guide is just an intermediate working file, which you will eventually copy into place in /opt/zimbra/tomcat/conf/keystore (until ZCS 4.5.x) or /opt/zimbra/jetty/etc/keystore (starting in ZCS 5.0).
 +
# Make sure you create a new file; if you are updating certificates and there is already a commercial.keystore, rename it or use a different name for these steps.
 +
# Make sure you save the new commercial.keystore file; you will import the server certificate and any intermediate certificates from the CA into this keystore before deploying it for tomcat or jetty.
  
 +
For 4.x
 +
<pre>
 +
# su - zimbra
 +
# keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 +
</pre>
  
== 1. Generate a CSR for tomcat ==
+
Use "zimbra" for the keystore password, and the hostname of your server for the first/last name.  
=== A. Create a commercial keystore ===
 
<tt>
 
:su - zimbra
 
:keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 
</tt>
 
 
 
Use "zimbra" for the keystore password, and the name of your host for the first/last name. If your organization is Acme Co in San Francisco CA, with the zimbra mail server mailhost.domain.com, the process will look like this:
 
  
 +
Note: In versions of ZCS up to and including 4.5.6, you '''must''' use "'''zimbra'''" for the keystore password; starting with ZCS 4.5.7, this will be configurable through the [[Zmlocalconfig|zmlocalconfig]] parameter '''tomcat_keystore_password'''. If your organization is Acme Co in San Francisco CA, with the zimbra mail server mailhost.domain.com, the process will look like this:
 +
<pre>
 
   zimbra@mailhost$ keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 
   zimbra@mailhost$ keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 
   Enter keystore password:  zimbra
 
   Enter keystore password:  zimbra
Line 33: Line 50:
 
   Enter key password for <tomcat>
 
   Enter key password for <tomcat>
 
           (RETURN if same as keystore password):
 
           (RETURN if same as keystore password):
 +
</pre>
 +
 +
Starting with ZCS version 4.5.6, we are generating a random password for the keystore. This password can be retrieved via "zmlocalconfig -s -m nokey tomcat_keystore_password.
 +
If you specify zimbra as the password for the commercial.keystore, tomcat won't start due to keystore password mismatch.
  
=== B. Create the certificate request file ===
+
The workaround is to:
 +
# retrieve the current keystore password and use it when creating the commercial.keystore OR
 +
# use zimbra as the password and when you are done with the process, change the keystore password to be zimbra
 +
<pre>
 +
# zmlocalconfig -e tomcat_keystore_password=zimbra
 +
# tomcat restart
 +
</pre>
 +
I recommend using option 2. since it is less hassel.
 +
 
 +
=== Create the certificate request file ===
 
Remember the password is "zimbra"; this should all be on one line:
 
Remember the password is "zimbra"; this should all be on one line:
  
<tt>
+
<pre>
:keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
+
# keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
</tt>
+
</pre>
  
 
The result is in the file commercial.csr:
 
The result is in the file commercial.csr:
  
<tt>
 
 
<pre>
 
<pre>
 
cat /opt/zimbra/ssl/ssl/commercial.csr
 
cat /opt/zimbra/ssl/ssl/commercial.csr
Line 58: Line 87:
 
-----END NEW CERTIFICATE REQUEST-----
 
-----END NEW CERTIFICATE REQUEST-----
 
</pre>
 
</pre>
</tt>
 
  
== 2. Acquire and install the certificate ==
+
== Acquire and install the certificate ==
  
Note: You may want to save your existing certs; see the page about
+
Note: Be sure to save your existing certs; see the "Back up existing certificates" section of the [[SSL_Certificate_Problems#Back_up_existing_certificates|Cert Issues]] page.
[[SSL_Certificate_Problems|Cert Issues]]
 
  
=== A. Submit the CSR to the certificate authority of choice ===
+
=== Submit the CSR to the certificate authority of choice ===
 
To turn that into a certificate, you'll need to paste it into the web form of your
 
To turn that into a certificate, you'll need to paste it into the web form of your
 
favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some
 
favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some
money from you and return a certificate as a file we'll call foo.crt.
+
money from you and return a certificate as a file we'll call my.crt.
  
=== B. Import the cert into the commercial keystore ===
+
=== Import the cert into the commercial keystore ===
 +
Note: Make sure to make a copy of the "commercial.keystore" after generating the CSR. If you end up damaging this file without backing it up, it will be necessary to create a new keystore and submit a new CSR to the Certificate Authority.
  
<tt>
+
For 4.x
:keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file foo.crt -storepass zimbra
+
<pre>
</tt>
+
# keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra
 +
</pre>
  
Note:  depending on source of CA-signed certificate, you may have issue with cert not being properly DER-encoded for import into your keystore.  The error will be "keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data". 
 
  
Please check following URL for details on how to convert PEM-encoded to DER-encoded. Keep in mind that default encoding for OpenSSL is PEM (ie. a OpenSSL produced signed cert will produce error above upon import).
+
Note: If this returns the error "keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data", you may need to convert the certificate from [http://www.modssl.org/docs/2.8/ssl_faq.html#ToC36 PEM-encoded to DER-encoded]. Keep in mind that default encoding for OpenSSL is PEM (ie. a OpenSSL produced signed cert will produce error above upon import).
Reference following: [http://www.modssl.org/docs/2.8/ssl_faq.html#ToC36]
 
  
successful signed certificate install will return following from above command:
+
If the signed certificate is successfully installed, the command will return "Certificate reply was installed in keystore".
"Certificate reply was installed in keystore"
 
  
=== C. Copy the commercial keystore over the zimbra tomcat keystore ===
+
If you have intermediate certs (Example: DigiCertCA.crt) install them as well.
  
 
<tt>
 
<tt>
:cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
+
# keytool -import -alias intermediate_crt_name -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file intermediate.crt -storepass zimbra
:tomcat restart
 
 
</tt>
 
</tt>
  
Voila! the commercial cert is installed for tomcat.
 
  
 +
=== Copy the commercial keystore over the zimbra mailbox keystore ===
 +
''Note: This will overwrite the keystore currently in place.'''
  
Note:  keep in mind this certificate install process only applies to Zimbra web-based end-user interface (ie. the Tomcat service).   In order for certificate to work with other Zimbra network services (SMTP, IMAP proxy, etc), you'll need to follow steps in the "other services" section below.  For those with Zimbra Support contract, you may want to contact Support and have them export key/cert from keystore (ie. easier than doing it yourself).
+
for 4.x
 +
<pre>
 +
# cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
 +
# tomcat restart
 +
</pre>
  
= CACert SSL Certificate Procedure =
 
  
For those who would like to use [http://www.cacert.org/ CACert] signed certificate for their Zimbra.
+
=== Extract the private key for use with postfix, perdition, ldap ===
 +
The certificate install process so far only applies to the Zimbra services handled by tomcat  or jetty (https, ssl pop, ssl imap). In order to use the certificate for other Zimbra network services (postfix/smtp, imapproxy, etc), you'll need get your cert and key in standard .pem format  If you only have a java keystore file, you'll have to follow steps 1 and 2, otherwise you can skip to step 3. There are four steps: 1. Export the private key from the keystore, 2. Decrypt the private key, 3. Append any intermediate certs, 4. Copy the certificate and key files into place. Those with a Zimbra Support contract may contact support to handle steps 1 and 2.
  
== Add CACert's Root CA certificates ==
+
1. In this case you have to get the key from /opt/zimbra/ssl/ssl/commercial.keystore (this can be a bit complicated.)  More complete instructions at [http://mark.foster.cc/kb/openssl-keytool.html Mark Foster's page], or here is an abbreviated version that will work on most UN*Xes:
  
Remove the self signed CA.
+
<pre><nowiki>wget http://mark.foster.cc/pub/java/ExportPriv.java
<pre><nowiki>keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit</nowiki></pre>
+
javac ExportPriv.java
 +
java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > my.key
 +
</nowiki></pre>
  
Download CACert's Root CAs from [http://www.cacert.org/certs/root.crt Class 1 PKI Key] and  
+
If you are using one of the latest 4.5.x builds, they use JDK 1.6 and ExportPriv.java will not compile because of sun.misc.BASE64Encoder;  After you download ExportPriv.java, but before running javac, do the following extra steps:
[http://www.cacert.org/certs/class3.crt Class 3 PKI Key] and save them to a file.
 
  
Import these two CAs into Java.
+
Create a ExportPriv.patch file with this code:
<pre><nowiki>keytool -import -alias cacertclass1ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file root.crt
 
keytool -import -alias cacertclass3ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file class3.crt</nowiki></pre>
 
  
== Generate a CSR for tomcat ==
+
<pre><nowiki>
 +
--- ExportPriv.java 2005-03-26 12:34:13.000000000 -0500
 +
+++ ExportPriv.java.new 2008-01-12 01:20:44.000000000 -0500
 +
@@ -1,8 +1,8 @@
 +
// How to export the private key from keystore?
 +
// Does keytool not have an option to do so?
 +
// This example use the "testkeys" file that comes with JSSE 1.0.3
 +
+// Alexey Zilber: Ported to work with Base64Coder: http://www.source-code.biz/snippets/java/2.htm
  
Same as in case of [[Commercial_Certificates#1._Generate_a_CSR_for_tomcat|Generate a CSR for tomcat]].
+
-import sun.misc.BASE64Encoder;
 +
import java.security.cert.Certificate;
 +
import java.security.*;
 +
import java.io.File;
 +
@@ -10,9 +10,6 @@
  
== Submit the CSR to CACert certificate authority ==
+
class ExportPriv {
 +
    public static void main(String args[]) throws Exception{
 +
-  for (int i = 0; i < args.length; i++) {
 +
-          System.out.println(i + ": "+ args[i]);
 +
-      }
 +
        if (args.length < 2) {
 +
            //Yes I know this sucks (the password is visible to other users via ps
 +
            // but this was a quick-n-dirty fix to export from a keystore to pkcs12
 +
@@ -29,8 +26,6 @@
 +
    KeyStore ks = KeyStore.getInstance("JKS");
  
* Login to [http://www.cacert.org/ CACert].
+
    char[] passPhrase = pass.toCharArray();
* Select "Server Certificates" or "Org Server Certs" New
+
-   BASE64Encoder myB64 = new BASE64Encoder();
* Paste the content of your /opt/zimbra/ssl/ssl/commercial.csr and Submit it.
+
-
* Copy the content between the begin and end marker (including them)
 
<pre>-----BEGIN CERTIFICATE-----
 
-----END CERTIFICATE-----</pre>
 
into a file my.crt.
 
  
== Install your new CRT ==
+
    File certificateFile = new File(fileName);
 +
    ks.load(new FileInputStream(certificateFile), passPhrase);
 +
@@ -38,9 +33,8 @@
 +
    KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);
  
Note: You may want to save your existing certs (see the page about [[SSL_Certificate_Problems|Cert Issues]])
+
    PrivateKey privKey = kp.getPrivate();
 +
-
  
== Import the new CRT ==
+
-  String b64 = myB64.encode(privKey.getEncoded());
 +
+  char[] b64 = Base64Coder.encode(privKey.getEncoded());
  
Import the new CRT into the commercial keystore.
+
    System.out.println("-----BEGIN PRIVATE KEY-----");
<pre><nowiki>keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra</nowiki></pre>
+
    System.out.println(b64);
 +
@@ -73,5 +67,3 @@
  
Copy it into tomcat.
+
}
<pre><nowiki>cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore</nowiki></pre>
 
  
== You can use the same CRT for other services. ==
+
-
 +
-
 +
</nowiki></pre>
  
In this case you have to get the key from /opt/zimbra/ssl/ssl/commercial.keystore (this can be a bit complicated.)  More complete instructions at [http://mark.foster.cc/kb/openssl-keytool.html Mark Foster's page], or here is an abbreviated version that will work on most UN*Xes:
+
Download Christian d'Heureuse's [http://www.source-code.biz/snippets/java/2.htm Base64Coder.java], and do the following:
  
<pre><nowiki>wget http://mark.foster.cc/pub/java/ExportPriv.java
+
<pre><nowiki>wget http://www.source-code.biz/snippets/java/Base64Coder.java.txt -O 'Base64Coder.java'
javac ExportPriv.java
+
patch < ExportPriv.patch
java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > my.key
 
 
</nowiki></pre>
 
</nowiki></pre>
 +
 +
Then proceed as per the instructions.
  
  
=== Decrypt the certificate key. ===
+
2. Decrypt the private key.
  
 
<pre><nowiki>openssl rsa -in my.key -out my.key.dec
 
<pre><nowiki>openssl rsa -in my.key -out my.key.dec
 
</nowiki></pre>
 
</nowiki></pre>
  
=== Add in any intermediate certificates to your .crt file. ===
+
3. Append any intermediate certificates to your the certificate file.
  
If you have a GoDaddy cert or any other certificate that requires an intermediate certificate, append the intermediate certificate to the end of my.crt. Otherwise the certificate chain will be incomplete and you won't be any better off than if you were self-signed.
+
If you have a certificate that requires an intermediate certificate or certificates, append the intermediate certificate(s) to the end of my.crt. Otherwise the certificate chain will be incomplete. You may need to download these certs from the CA; GoDaddy, for example, sends two intermediate crt's in a zip file (gd_cross_intermediate.crt and gd_intermediate.crt). If you have two intermediate certificates ca_int1.crt and ca_int2.crt from the CA, add them to the cert as follows.
  
=== Install your key and crt for other apps. ===
+
<pre><nowiki>keytool -export -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -file exported.crt
 +
 
 +
openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der
 +
 
 +
cat exported-pem.crt ca_int1.crt ca_int2.crt >> my.crt
 +
</nowiki></pre>
 +
 
 +
4. Install your key and crt for other apps.
  
 
<pre><nowiki>
 
<pre><nowiki>
Line 171: Line 231:
 
ln -s my.crt slapd.crt
 
ln -s my.crt slapd.crt
 
ln -s my.key slapd.key
 
ln -s my.key slapd.key
ln -s my.crt perdition.pem
+
ln -s my.crt perdition.pem  
 
ln -s my.key perdition.key
 
ln -s my.key perdition.key
 +
#for 5.x add links for nginx too
 +
ln -s my.crt nginx.crt
 +
ln -s my.key nginx.key
 
</nowiki></pre>
 
</nowiki></pre>
  
== Restart tomcat (or even better the whole Zimbra server). ==
 
  
Enjoy!
+
'''Note: You'll need to restart any services that use the certificates in order for the new certificate to be used.'''
 +
 
 +
= CACert SSL Certificate Procedure =
 +
 
 +
For those who would like to use [http://www.cacert.org/ CACert] signed certificate for their Zimbra.
 +
 
 +
== Add CACert's Root CA certificates ==
 +
 
 +
Remove the self signed CA.
 +
<pre><nowiki>keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit</nowiki></pre>
 +
 
 +
Download CACert's Root CAs from [http://www.cacert.org/certs/root.crt Class 1 PKI Key] and
 +
[http://www.cacert.org/certs/class3.crt Class 3 PKI Key] and save them to a file.
 +
 
 +
Import these two CAs into Java.
 +
<pre><nowiki>keytool -import -alias cacertclass1ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file root.crt
 +
keytool -import -alias cacertclass3ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file class3.crt</nowiki></pre>
 +
 
 +
== Generate a CSR for tomcat ==
 +
 
 +
Same as in case of [[4.x_Commercial_Certificates_Guide#1._Generate_a_CSR_for_tomcat|Generate a CSR for tomcat]].
 +
 
 +
== Submit the CSR to CACert certificate authority ==
 +
 
 +
* Login to [http://www.cacert.org/ CACert].
 +
* Select "Server Certificates" or "Org Server Certs" New
 +
* Paste the content of your /opt/zimbra/ssl/ssl/commercial.csr and Submit it.
 +
* Copy the content between the begin and end marker (including them)
 +
<pre>-----BEGIN CERTIFICATE-----
 +
-----END CERTIFICATE-----</pre>
 +
into a file my.crt.
 +
 
 +
== Install your new CRT ==
 +
 
 +
Note: You may want to save your existing certs; see the "Back up existing certificates" section of the [[SSL_Certificate_Problems#Back_up_existing_certificates|Cert Issues]] page.
 +
 
 +
== Import the new CRT ==
  
 +
Import the new CRT into the commercial keystore.
 +
<pre><nowiki>keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra</nowiki></pre>
  
 +
Copy it into tomcat.
 +
<pre><nowiki>cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore</nowiki></pre>
 +
 +
The same if you are renewing a CACert certificate (and probably any certificate). Just import it, DO NOT DELETE the old one from the keystore as it will delete the root CA reference also. By just importing the renewed certificate the root CA in the chain is preserved. To see the certificates in your chain do:
 +
<pre><nowiki>keytool -list -v -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra</nowiki></pre>
 +
 +
== You can use the same CRT for other services. ==
 +
See [[4.x_Commercial_Certificates_Guide#D._Extract_the_private_key_for_use_with_postfix.2C_perdition.2C_ldap|step 2D]] of the general certificate process.
  
 
= PEM Format Commercial SSL Cert Install Procedure=
 
= PEM Format Commercial SSL Cert Install Procedure=
  
==Jetty==
 
Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.
 
  
==Delete Existing Certs==
+
 
 +
== Delete Existing Certs ==
 +
delete the self generated CA from java's list of trusted CA certs
 
:keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
 
:keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
 +
for 4.x, delete the private key for tomcat
 
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
 
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
 +
:for 4.5.9, the storepass is hidden in ''zmlocalconfig -s tomcat_truststore_password''
  
==Add the CA certificate==
+
for 5.0rc1, delete jetty's private key
:keytool -import -keystore /path/to/keystore -import -trustcacerts -file /path/to/cacert.cer
+
 
 +
you'll have to look up the keystore's password
 +
:zmlocalconfig -s mailboxd_keystore_password
 +
:keytool -delete -alias jetty -keystore /opt/zimbra/jetty/etc/keystore -storepass YOURPASSHERE
 +
 
 +
==Add the CA certificate to java's list of trusted certs==
 +
:keytool -import -alias YOUR_CA_NAME -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /PATH/TO/YOUR/CACERT
  
 
=Commercial SSL Certificates for Tomcat / Java=
 
=Commercial SSL Certificates for Tomcat / Java=
Line 198: Line 314:
 
Convert your certificate and key files to a combined PKCS12 format certificate:
 
Convert your certificate and key files to a combined PKCS12 format certificate:
 
<pre><nowiki>openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12</nowiki></pre>
 
<pre><nowiki>openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12</nowiki></pre>
 +
When prompted for an export password, use '''zimbra'''.
  
 
Convert the PKCS12 certificate to a Java Keystore format (JKS):
 
Convert the PKCS12 certificate to a Java Keystore format (JKS):
 +
 +
for 4.x
 +
 +
Download the [http://jetty.mortbay.com/ Jetty] package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.  Version 5.1.x of Jetty is recommended.
 +
 
<pre><nowiki>java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore</nowiki></pre>
 
<pre><nowiki>java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore</nowiki></pre>
Note: make sure to set to the keystore password to whatever Zimbra expects (usually "zimbra")
+
Note: make sure to set to the keystore password to whatever Zimbra expects ("zimbra")
 +
 
 +
for 5.0rc1 jetty is already installed
 +
<pre><nowiki>java -cp /opt/zimbra/jetty/lib/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import yourfile.pkcs12 keystore</nowiki></pre>
 +
Note: set the password to the value stored in zmlocalconfig -s  mailboxd_keystore_password
 +
 
 
   
 
   
  
Clone the new keystore certificate stored under the alias "1" to the alias "tomcat":
+
Identify the alias that was imported (may be "1" or it might be something else, depends on how the pkcs12 file was made)
<pre><nowiki>keytool -keystore keystore -keyclone -alias 1 -dest tomcat</nowiki></pre>
+
 
 +
<pre><nowiki>keytool -keystore keystore -list </nowiki></pre>
 +
 
 +
Clone the new keystore certificate stored under youralias to the alias "tomcat":
  
Delete the certificate stored under the "1" alias:
+
for 4.x
<pre><nowiki>keytool -delete -alias 1 -keystore keystore</nowiki></pre>
+
<pre><nowiki>keytool -keystore keystore -keyclone -alias youralias -dest tomcat</nowiki></pre>
 +
for 5.0rc1
 +
<pre><nowiki>keytool -keystore keystore -keyclone -alias youralias -dest jetty</nowiki></pre>
 +
keep the password you selected above.
  
 +
Delete the certificate stored under youralias:
 +
<pre><nowiki>keytool -delete -alias youralias -keystore keystore</nowiki></pre>
  
Alternative: Use this source to directly create a keystore without having to download jetty.  
+
 
 +
Alternative: Use this source to directly create a keystore without having to download jetty. '''This only works for 4.x'''
  
 
- Tip: when creating file.pkcs12, set "zimbra" as password.
 
- Tip: when creating file.pkcs12, set "zimbra" as password.
Line 276: Line 412:
 
</nowiki></pre>
 
</nowiki></pre>
  
=Commercial SSL Certificates for Postfix=
 
If you receive your certificates in the more or less standard PEM format, you need to do the following:
 
  
Decrypt the certificate key:
+
=GlobalSign SSL References=
<pre><nowiki>openssl rsa -in file.key -out file.key.decrypted</nowiki></pre>
+
#[http://www.globalsign.com/ GlobalSign Homepage]
Move the cert and decrypted key into place:
+
#[http://www.globalsign.com/support/ssl.php GlobalSign SSL Support Page] - search for tomcat installation.
<pre><nowiki>
+
 
mv file.crt /opt/zimbra/conf/smtpd.crt
+
 
mv file.key.decrypted /opt/zimbra/conf/smtpd.key
 
</nowiki></pre>
 
 
=QuickSSL References=
 
=QuickSSL References=
 
#[http://www.quickssl.com/ QuickSSL Homepage]  
 
#[http://www.quickssl.com/ QuickSSL Homepage]  
 
#[http://www.quickssl.com/support/knowledge_base/index.asp QuickSSL Knowledgebase] - search for tomcat installation.
 
#[http://www.quickssl.com/support/knowledge_base/index.asp QuickSSL Knowledgebase] - search for tomcat installation.
  
=GoDaddy Instructions=
 
 
(You will be prompted for passwords. Use zimbra for all passwords)
 
  
'''1. Create keystore:'''
 
  
su - zimbra
 
  
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 
  
'''2. Create CSR (you are creating the commercial.csr file):'''
 
  
keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 
 
Note: when it asks you for your first and last name use the common name of your server. For example, if you will ultimately use zimbra.company.com as the URL then that is your common name.
 
 
'''3. Open the contents of the commercial.csr file and copy and paste into GoDaddy's CSR submission form.'''
 
 
'''4. Receive digital cert from GoDaddy as a zip file.''' Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.
 
 
'''5. Import intermediate and root certs from GoDaddy.''' The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go
 
 
To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt
 
 
Note: As of 4/2/2007 - Using RHEL 4 with all updates the Root cert was not needed.
 
 
U'''pdate: 4/2/2007''' - Go to this page: https://certificates.godaddy.com/Repository.go Download the '''gd_cross_intermediate.crt.''' You should have received gd_intermediate.crt as part of the zip file from GoDaddy. You will need the cross and the intermediate certificates in order to create the "chain".
 
 
'''To import intermediate cert''': keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt
 
 
'''To import the cross cert:''' keytool -import -alias cross -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_cross_intermediate.crt
 
 
'''6. Import digital cert into keystore:'''
 
 
keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra
 
 
'''7. Copy the keystore to zimbra Tomcat keystore:'''
 
 
cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
 
 
'''8. Tomcat restart'''
 
 
'''9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.'''
 
  
 
=Mac OSX Note=
 
=Mac OSX Note=
Line 346: Line 440:
 
</pre>
 
</pre>
 
</tt>
 
</tt>
 +
 +
  
 
=Relevant Documents=
 
=Relevant Documents=
 
#[http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html Apache Jakarta Tomcat documentation]
 
#[http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html Apache Jakarta Tomcat documentation]
 +
 +
[[Category: SSL/TLS]]
 +
[[Category: Certificates]]
 +
[[Category: ZCS 4.5]]

Latest revision as of 19:31, 25 March 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 4.5 Article ZCS 4.5

FOR 5.x servers, please do not use this page

General Commercial SSL Certificate Procedure (Please read and understand this first)

  • Self-signed certificate directions can be found here: SSL_Certificate_Problems
  • Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes.
  • DO NOT USE THIS DOCUMENT FOR ZCS Versions 5.0.0_GA and ABOVE. Use the Certificate wizard in the Admin Console of your installation to generate a commercial CSR.

Using a pre-existing certificate from another server

If you already have an "apache style" PEM or DER format certificate for this server hostname, and want to re-use it, this forum thread has been condensed to the PEM format certificate conversion section below.

Getting a certificate for MTA

If you are installing a commcercial certificate for the MTA and or LDAP, you can simply
acquire a certificate for postfix in "PEM" format and save the signed cert and the key
in /opt/zimbra/conf directory and reload postfix 

Generate a certificate signing request (CSR) for tomcat

Create a commercial keystore

Notes:

  1. The file we call "commercial.keystore" in this guide is just an intermediate working file, which you will eventually copy into place in /opt/zimbra/tomcat/conf/keystore (until ZCS 4.5.x) or /opt/zimbra/jetty/etc/keystore (starting in ZCS 5.0).
  2. Make sure you create a new file; if you are updating certificates and there is already a commercial.keystore, rename it or use a different name for these steps.
  3. Make sure you save the new commercial.keystore file; you will import the server certificate and any intermediate certificates from the CA into this keystore before deploying it for tomcat or jetty.

For 4.x

# su - zimbra
# keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Use "zimbra" for the keystore password, and the hostname of your server for the first/last name.

Note: In versions of ZCS up to and including 4.5.6, you must use "zimbra" for the keystore password; starting with ZCS 4.5.7, this will be configurable through the zmlocalconfig parameter tomcat_keystore_password. If your organization is Acme Co in San Francisco CA, with the zimbra mail server mailhost.domain.com, the process will look like this:

   zimbra@mailhost$ keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
   Enter keystore password:  zimbra
   What is your first and last name?
     [Unknown]:  mailhost.domain.com
   What is the name of your organizational unit?
     [Unknown]:  Acme Co
   What is the name of your organization?
     [Unknown]:  Acme Co
   What is the name of your City or Locality?
     [Unknown]:  San Francisco
   What is the name of your State or Province?
     [Unknown]:  California
   What is the two-letter country code for this unit?
     [Unknown]: US
   Is CN=mailhost.domain.com, OU=Acme Co, O=Acme Co, L=San Francisco, ST=CA, C=US correct?
     [no]:  y

   Enter key password for <tomcat>
          (RETURN if same as keystore password):

Starting with ZCS version 4.5.6, we are generating a random password for the keystore. This password can be retrieved via "zmlocalconfig -s -m nokey tomcat_keystore_password. If you specify zimbra as the password for the commercial.keystore, tomcat won't start due to keystore password mismatch.

The workaround is to:
  1. retrieve the current keystore password and use it when creating the commercial.keystore OR
  2. use zimbra as the password and when you are done with the process, change the keystore password to be zimbra
# zmlocalconfig -e tomcat_keystore_password=zimbra
# tomcat restart

I recommend using option 2. since it is less hassel.

Create the certificate request file

Remember the password is "zimbra"; this should all be on one line:

# keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

The result is in the file commercial.csr:

cat /opt/zimbra/ssl/ssl/commercial.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBsTCCARoCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAcT
BEhlcmUxEDAOBgNVBAoTB0NvbXBhbnkxEDAOBgNVBAsTB0NvbXBhbnkxGjAYBgNVBAMTEW15aG9z
dC5kb21haW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGFzdhsPg/h5qtpkd9F4wB
IIiajDCLEgfbbwUgBaCb8XiZ6KQEb7cJXrqBqNtJsEPghtLsV52YDmHcNruKWEFRPJdJBM8gHR7p
cFHjYcKJyCa77yhBILqg3iNenRTJNIUXVYzwuBJsa2QWbp8dDbRU5aEn3seFGY/FkeA44KA9UwID
AQABoAAwDQYJKoZIhvcNAQEEBQADgYEAb/nHJZxNpJsP6b2PHVubljRKyxyHDbAopvMLHAgkRxH8
OWOgG/yRJ5Q28csCDAQc/5+Rp/Fn0YDxyqgiAHqQRwCz4QcUSgLSGRijsjNzWhGtQhUzNS1qCgPK
FjfnosOkkGmm51RrPcHCLcjBjhWn4oHZ93NUoTW1hdl6ERc6a6c=
-----END NEW CERTIFICATE REQUEST-----

Acquire and install the certificate

Note: Be sure to save your existing certs; see the "Back up existing certificates" section of the Cert Issues page.

Submit the CSR to the certificate authority of choice

To turn that into a certificate, you'll need to paste it into the web form of your favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some money from you and return a certificate as a file we'll call my.crt.

Import the cert into the commercial keystore

Note: Make sure to make a copy of the "commercial.keystore" after generating the CSR. If you end up damaging this file without backing it up, it will be necessary to create a new keystore and submit a new CSR to the Certificate Authority.

For 4.x

# keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra


Note: If this returns the error "keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data", you may need to convert the certificate from PEM-encoded to DER-encoded. Keep in mind that default encoding for OpenSSL is PEM (ie. a OpenSSL produced signed cert will produce error above upon import).

If the signed certificate is successfully installed, the command will return "Certificate reply was installed in keystore".

If you have intermediate certs (Example: DigiCertCA.crt) install them as well.

  1. keytool -import -alias intermediate_crt_name -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file intermediate.crt -storepass zimbra


Copy the commercial keystore over the zimbra mailbox keystore

Note: This will overwrite the keystore currently in place.'

for 4.x

# cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
# tomcat restart


Extract the private key for use with postfix, perdition, ldap

The certificate install process so far only applies to the Zimbra services handled by tomcat or jetty (https, ssl pop, ssl imap). In order to use the certificate for other Zimbra network services (postfix/smtp, imapproxy, etc), you'll need get your cert and key in standard .pem format If you only have a java keystore file, you'll have to follow steps 1 and 2, otherwise you can skip to step 3. There are four steps: 1. Export the private key from the keystore, 2. Decrypt the private key, 3. Append any intermediate certs, 4. Copy the certificate and key files into place. Those with a Zimbra Support contract may contact support to handle steps 1 and 2.

1. In this case you have to get the key from /opt/zimbra/ssl/ssl/commercial.keystore (this can be a bit complicated.) More complete instructions at Mark Foster's page, or here is an abbreviated version that will work on most UN*Xes:

wget http://mark.foster.cc/pub/java/ExportPriv.java
javac ExportPriv.java
java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > my.key

If you are using one of the latest 4.5.x builds, they use JDK 1.6 and ExportPriv.java will not compile because of sun.misc.BASE64Encoder; After you download ExportPriv.java, but before running javac, do the following extra steps:

Create a ExportPriv.patch file with this code:

--- ExportPriv.java 2005-03-26 12:34:13.000000000 -0500
+++ ExportPriv.java.new 2008-01-12 01:20:44.000000000 -0500
@@ -1,8 +1,8 @@
 // How to export the private key from keystore?
 // Does keytool not have an option to do so?
 // This example use the "testkeys" file that comes with JSSE 1.0.3
+// Alexey Zilber: Ported to work with Base64Coder: http://www.source-code.biz/snippets/java/2.htm

-import sun.misc.BASE64Encoder;
 import java.security.cert.Certificate;
 import java.security.*;
 import java.io.File;
@@ -10,9 +10,6 @@

 class ExportPriv {
     public static void main(String args[]) throws Exception{
-   for (int i = 0; i < args.length; i++) {
-           System.out.println(i + ": "+ args[i]);
-       }
        if (args.length < 2) {
            //Yes I know this sucks (the password is visible to other users via ps
            // but this was a quick-n-dirty fix to export from a keystore to pkcs12
@@ -29,8 +26,6 @@
    KeyStore ks = KeyStore.getInstance("JKS");

    char[] passPhrase = pass.toCharArray();
-   BASE64Encoder myB64 = new BASE64Encoder();
-

    File certificateFile = new File(fileName);
    ks.load(new FileInputStream(certificateFile), passPhrase);
@@ -38,9 +33,8 @@
    KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);

    PrivateKey privKey = kp.getPrivate();
-

-   String b64 = myB64.encode(privKey.getEncoded());
+   char[] b64 = Base64Coder.encode(privKey.getEncoded());

    System.out.println("-----BEGIN PRIVATE KEY-----");
    System.out.println(b64);
@@ -73,5 +67,3 @@

 }

-
-

Download Christian d'Heureuse's Base64Coder.java, and do the following:

wget http://www.source-code.biz/snippets/java/Base64Coder.java.txt -O 'Base64Coder.java'
patch < ExportPriv.patch

Then proceed as per the instructions.


2. Decrypt the private key.

openssl rsa -in my.key -out my.key.dec

3. Append any intermediate certificates to your the certificate file.

If you have a certificate that requires an intermediate certificate or certificates, append the intermediate certificate(s) to the end of my.crt. Otherwise the certificate chain will be incomplete. You may need to download these certs from the CA; GoDaddy, for example, sends two intermediate crt's in a zip file (gd_cross_intermediate.crt and gd_intermediate.crt). If you have two intermediate certificates ca_int1.crt and ca_int2.crt from the CA, add them to the cert as follows.

keytool -export -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -file exported.crt

openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der

cat exported-pem.crt ca_int1.crt ca_int2.crt >> my.crt

4. Install your key and crt for other apps.

cp my.crt /opt/zimbra/conf
cp my.key.dec /opt/zimbra/conf/my.key
cd /opt/zimbra/conf
chmod 444 my.crt
chmod 400 my.key
chown zimbra:zimbra my.crt
chown zimbra:zimbra my.key
ln -s my.crt smtpd.crt
ln -s my.key smtpd.key
ln -s my.crt slapd.crt
ln -s my.key slapd.key
ln -s my.crt perdition.pem 
ln -s my.key perdition.key
#for 5.x add links for nginx too
ln -s my.crt nginx.crt
ln -s my.key nginx.key


Note: You'll need to restart any services that use the certificates in order for the new certificate to be used.

CACert SSL Certificate Procedure

For those who would like to use CACert signed certificate for their Zimbra.

Add CACert's Root CA certificates

Remove the self signed CA.

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Download CACert's Root CAs from Class 1 PKI Key and Class 3 PKI Key and save them to a file.

Import these two CAs into Java.

keytool -import -alias cacertclass1ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file root.crt
keytool -import -alias cacertclass3ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file class3.crt

Generate a CSR for tomcat

Same as in case of Generate a CSR for tomcat.

Submit the CSR to CACert certificate authority

  • Login to CACert.
  • Select "Server Certificates" or "Org Server Certs" New
  • Paste the content of your /opt/zimbra/ssl/ssl/commercial.csr and Submit it.
  • Copy the content between the begin and end marker (including them)
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

into a file my.crt.

Install your new CRT

Note: You may want to save your existing certs; see the "Back up existing certificates" section of the Cert Issues page.

Import the new CRT

Import the new CRT into the commercial keystore.

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra

Copy it into tomcat.

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

The same if you are renewing a CACert certificate (and probably any certificate). Just import it, DO NOT DELETE the old one from the keystore as it will delete the root CA reference also. By just importing the renewed certificate the root CA in the chain is preserved. To see the certificates in your chain do:

keytool -list -v -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

You can use the same CRT for other services.

See step 2D of the general certificate process.

PEM Format Commercial SSL Cert Install Procedure

Delete Existing Certs

delete the self generated CA from java's list of trusted CA certs

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

for 4.x, delete the private key for tomcat

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
for 4.5.9, the storepass is hidden in zmlocalconfig -s tomcat_truststore_password

for 5.0rc1, delete jetty's private key

you'll have to look up the keystore's password

zmlocalconfig -s mailboxd_keystore_password
keytool -delete -alias jetty -keystore /opt/zimbra/jetty/etc/keystore -storepass YOURPASSHERE

Add the CA certificate to java's list of trusted certs

keytool -import -alias YOUR_CA_NAME -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /PATH/TO/YOUR/CACERT

Commercial SSL Certificates for Tomcat / Java

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Convert your certificate and key files to a combined PKCS12 format certificate:

openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12

When prompted for an export password, use zimbra.

Convert the PKCS12 certificate to a Java Keystore format (JKS):

for 4.x

Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates. Version 5.1.x of Jetty is recommended.

java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore

Note: make sure to set to the keystore password to whatever Zimbra expects ("zimbra")

for 5.0rc1 jetty is already installed

java -cp /opt/zimbra/jetty/lib/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import yourfile.pkcs12 keystore

Note: set the password to the value stored in zmlocalconfig -s mailboxd_keystore_password


Identify the alias that was imported (may be "1" or it might be something else, depends on how the pkcs12 file was made)

keytool -keystore keystore -list 

Clone the new keystore certificate stored under youralias to the alias "tomcat":

for 4.x

keytool -keystore keystore -keyclone -alias youralias -dest tomcat

for 5.0rc1

keytool -keystore keystore -keyclone -alias youralias -dest jetty

keep the password you selected above.

Delete the certificate stored under youralias:

keytool -delete -alias youralias -keystore keystore


Alternative: Use this source to directly create a keystore without having to download jetty. This only works for 4.x

- Tip: when creating file.pkcs12, set "zimbra" as password.

- First, replace "file.pkcs12" in source code with the name of the certificate you created and compile by executing:

export CLASSPATH=/opt/zimbra/java/lib/tools.jar:.
/opt/zimbra/java/bin/javac AddCertToKeystore.java

- Second, execute newly created .class file to generate new keystore (called keystore-new)

/opt/zimbra/java/bin/java AddCertToKeystore

- Copy new keystore-new to /opt/zimbra/tomcat/conf/keystore. I suggest to backup your old keystore before.

- Restart tomcat.

Source code for AddCertToKeystore.java

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.Certificate;
import java.util.Enumeration;

class AddCertToKeystore {
    public static void main(String[] args) throws Exception {
        if (args.length < 2) {
            System.err.println("Usage: AddCertToKeystore <pkcs12_file> <keystore_file>");
            System.exit(1);
        }
        String pkcs12_file = args[0];
        String keystore_file = args[1];

        Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

        // Load the pfx file containing Certificate + Private Key
        KeyStore temp = KeyStore.getInstance("PKCS12", "SunJSSE");
        temp.load(new FileInputStream(pkcs12_file), "zimbra".toCharArray());

        // Create a new Keystore
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, "zimbra".toCharArray());

        // Find the alias name of the certificate from the pfx file
        Enumeration aliasNames = temp.aliases();
        String alias = (String) aliasNames.nextElement();

        // Get the certificate chain from .pfx
        Certificate c[] = temp.getCertificateChain(alias);
        Key key = temp.getKey(alias, "zimbra".toCharArray());

        // Store the Private Key + Certificate Chain in the Keystore
        keyStore.setKeyEntry("tomcat", key, "zimbra".toCharArray(), c);

        // Create the Keystore
        keyStore.store(new FileOutputStream(keystore_file), "zimbra".toCharArray());
    }
}


GlobalSign SSL References

  1. GlobalSign Homepage
  2. GlobalSign SSL Support Page - search for tomcat installation.


QuickSSL References

  1. QuickSSL Homepage
  2. QuickSSL Knowledgebase - search for tomcat installation.




Mac OSX Note

In order for any changes on this page to go into the appropriate cacerts keystore, the following two paths must be exchanged in order to add the cert to the java trustedcerts...

Linux standard (from doc): /opt/zimbra/java/jre/lib/security/cacerts

OS X location: /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

For example, the command to add a GoDaddy root cert from Valicert to the cacerts keystore would look like:

keytool -import -alias tomcat -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -trustcacerts -file /opt/zimbra/ssl/<your ssl root_keys path>/valicert_class2_root.crt -storepass changeit


Relevant Documents

  1. Apache Jakarta Tomcat documentation
Jump to: navigation, search