Difference between revisions of "4.x Commercial Certificates Guide"

Line 1: Line 1:
'''Disclaimer:  This guide is a work in progress, it is not ready for production use.'''
+
=Commercial SSL Cert Install Procedure=
 +
==Jetty==
 +
Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.
  
=Suggested Reading=
+
==Delete Existing Certs==
==Tomcat Documentation==
+
:keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
#[http://tomcat.apache.org/tomcat-5.5-doc/index.html Tomcat 5.5.x docs]
+
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
#[http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Tomcat 5.5.x SSL HOWTO]
 
  
=Generic SSL Cert Install Procedure=
+
==Add the CA certificate==
==Add the chained certificate==
+
:keytool -import -keystore /path/to/keystore -import -trustcacerts -file /path/to/cacert.cer  
This certificate is the root certificate for your Certificate Authority where you purchased your commercial SSL certificate.   
 
  
=QuickSSL Certificates=
+
=Commercial SSL Certificates for Tomcat / Java=
Future info on how to install QuickSSL Certificates
+
If you receive your certificates in the more or less standard PEM format, you need to do the following:
==QuickSSL Installation==
 
I have no details for this part, since I've never got it working quite right. -JonnyRo
 
  
#Remove default CA
+
Convert your certificate and key files to a combined PKCS12 format certificate:
#Add QuickSSL root CA certificate
+
<pre><nowiki>openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12</nowiki></pre>
#Install SSL certs for mta
 
  
==QuickSSL References==
+
Convert the PKCS12 certificate to a Java Keystore format (JKS):
 +
<pre><nowiki>java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore</nowiki></pre>
 +
Note: make sure to set to the keystore password to whatever Zimbra expects (usually "zimbra")
 +
 
 +
Clone the new keystore certificate stored under the alias "1" to the alias "tomcat":
 +
<pre><nowiki>keytool -keystore keystore -keyclone -alias 1 -dest tomcat</nowiki></pre>
 +
 
 +
Delete the certificate stored under the "1" alias:
 +
<pre><nowiki>keytool -delete -alias 1 -keystore keystore</nowiki></pre>
 +
 
 +
=Commercial SSL Certificates for Postfix=
 +
If you receive your certificates in the more or less standard PEM format, you need to do the following:
 +
 
 +
Decrypt the certificate key:
 +
<pre><nowiki>openssl rsa -in file.key -out file.key.decrypted</nowiki></pre>
 +
Move the cert and decrypted key into place:
 +
<pre><nowiki>
 +
mv file.crt /opt/zimbra/conf/smtpd.crt
 +
mv file.key.decrypted /opt/zimbra/conf/smtpd.key
 +
</nowiki></pre>
 +
=QuickSSL References=
 
#[http://www.quickssl.com/ QuickSSL Homepage]  
 
#[http://www.quickssl.com/ QuickSSL Homepage]  
 
#[http://www.quickssl.com/support/knowledge_base/index.asp QuickSSL Knowledgebase] - search for tomcat installation.
 
#[http://www.quickssl.com/support/knowledge_base/index.asp QuickSSL Knowledgebase] - search for tomcat installation.

Revision as of 16:08, 28 March 2006

Commercial SSL Cert Install Procedure

Jetty

Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.

Delete Existing Certs

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Add the CA certificate

keytool -import -keystore /path/to/keystore -import -trustcacerts -file /path/to/cacert.cer

Commercial SSL Certificates for Tomcat / Java

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Convert your certificate and key files to a combined PKCS12 format certificate:

openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12

Convert the PKCS12 certificate to a Java Keystore format (JKS):

java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore

Note: make sure to set to the keystore password to whatever Zimbra expects (usually "zimbra")

Clone the new keystore certificate stored under the alias "1" to the alias "tomcat":

keytool -keystore keystore -keyclone -alias 1 -dest tomcat

Delete the certificate stored under the "1" alias:

keytool -delete -alias 1 -keystore keystore

Commercial SSL Certificates for Postfix

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Decrypt the certificate key:

openssl rsa -in file.key -out file.key.decrypted

Move the cert and decrypted key into place:

mv file.crt /opt/zimbra/conf/smtpd.crt
mv file.key.decrypted /opt/zimbra/conf/smtpd.key

QuickSSL References

  1. QuickSSL Homepage
  2. QuickSSL Knowledgebase - search for tomcat installation.
Jump to: navigation, search