Difference between revisions of "4.x Commercial Certificates Guide"

(no formatting yet)
Line 1: Line 1:
=Commercial SSL Cert Install Procedure=
+
= Commercial SSL Cert Install Procedure=
 +
 
 +
To generate a CSR for tomcat:
 +
 
 +
su - zimbra
 +
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 +
 
 +
Use "zimbra" for the keystore password, and the name of your host for the first/last name:
 +
This will look like this:
 +
 
 +
  keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 +
  Enter keystore password:  zimbra
 +
  What is your first and last name?
 +
    [Unknown]:  myhost.domain.com
 +
  What is the name of your organizational unit?
 +
    [Unknown]:  Company
 +
  What is the name of your organization?
 +
    [Unknown]:  Company
 +
  What is the name of your City or Locality?
 +
    [Unknown]:  Here
 +
  What is the name of your State or Province?
 +
    [Unknown]:  California
 +
  What is the two-letter country code for this unit?
 +
    [Unknown]:  US
 +
  Is CN=myhost.domain.com, OU=Company, O=Company, L=Here, ST=California, C=US correct?
 +
    [no]:  y
 +
 
 +
  Enter key password for <tomcat>
 +
          (RETURN if same as keystore password): 
 +
 
 +
This (all one line) will prompt for the password ("zimbra"):
 +
keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
 +
 
 +
This gets you this file:
 +
cat /opt/zimbra/ssl/ssl/commercial.csr
 +
 
 +
-----BEGIN NEW CERTIFICATE REQUEST-----
 +
MIIBsTCCARoCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAcT
 +
BEhlcmUxEDAOBgNVBAoTB0NvbXBhbnkxEDAOBgNVBAsTB0NvbXBhbnkxGjAYBgNVBAMTEW15aG9z
 +
dC5kb21haW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGFzdhsPg/h5qtpkd9F4wB
 +
IIiajDCLEgfbbwUgBaCb8XiZ6KQEb7cJXrqBqNtJsEPghtLsV52YDmHcNruKWEFRPJdJBM8gHR7p
 +
cFHjYcKJyCa77yhBILqg3iNenRTJNIUXVYzwuBJsa2QWbp8dDbRU5aEn3seFGY/FkeA44KA9UwID
 +
AQABoAAwDQYJKoZIhvcNAQEEBQADgYEAb/nHJZxNpJsP6b2PHVubljRKyxyHDbAopvMLHAgkRxH8
 +
OWOgG/yRJ5Q28csCDAQc/5+Rp/Fn0YDxyqgiAHqQRwCz4QcUSgLSGRijsjNzWhGtQhUzNS1qCgPK
 +
FjfnosOkkGmm51RrPcHCLcjBjhWn4oHZ93NUoTW1hdl6ERc6a6c=
 +
-----END NEW CERTIFICATE REQUEST-----
 +
 
 +
To turn that into a certificate, you'll need to paste it into the web form of your
 +
favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some
 +
money from you and return a certificate.
 +
 
 +
The cert will be in a file foo.crt - to install it, you'll do this:
 +
 
 +
keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file foo.crt -storepass zimbra
 +
 
 +
Once that's done, copy  /opt/zimbra/ssl/ssl/commercial.keystore to /opt/zimbra/tomcat/conf/keystore and restart tomcat.
 +
 
 +
 
 +
 
 +
= Unverified Commercial SSL Cert Install Procedure=
 +
 
 
==Jetty==
 
==Jetty==
 
Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.
 
Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.

Revision as of 19:00, 12 April 2006

Commercial SSL Cert Install Procedure

To generate a CSR for tomcat:

su - zimbra keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Use "zimbra" for the keystore password, and the name of your host for the first/last name: This will look like this:

  keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
  Enter keystore password:  zimbra
  What is your first and last name?
    [Unknown]:  myhost.domain.com
  What is the name of your organizational unit?
    [Unknown]:  Company
  What is the name of your organization?
    [Unknown]:  Company
  What is the name of your City or Locality?
    [Unknown]:  Here
  What is the name of your State or Province?
    [Unknown]:  California
  What is the two-letter country code for this unit?
    [Unknown]:  US
  Is CN=myhost.domain.com, OU=Company, O=Company, L=Here, ST=California, C=US correct?
    [no]:  y
  Enter key password for <tomcat>
         (RETURN if same as keystore password):  

This (all one line) will prompt for the password ("zimbra"): keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

This gets you this file: cat /opt/zimbra/ssl/ssl/commercial.csr


BEGIN NEW CERTIFICATE REQUEST-----

MIIBsTCCARoCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAcT BEhlcmUxEDAOBgNVBAoTB0NvbXBhbnkxEDAOBgNVBAsTB0NvbXBhbnkxGjAYBgNVBAMTEW15aG9z dC5kb21haW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGFzdhsPg/h5qtpkd9F4wB IIiajDCLEgfbbwUgBaCb8XiZ6KQEb7cJXrqBqNtJsEPghtLsV52YDmHcNruKWEFRPJdJBM8gHR7p cFHjYcKJyCa77yhBILqg3iNenRTJNIUXVYzwuBJsa2QWbp8dDbRU5aEn3seFGY/FkeA44KA9UwID AQABoAAwDQYJKoZIhvcNAQEEBQADgYEAb/nHJZxNpJsP6b2PHVubljRKyxyHDbAopvMLHAgkRxH8 OWOgG/yRJ5Q28csCDAQc/5+Rp/Fn0YDxyqgiAHqQRwCz4QcUSgLSGRijsjNzWhGtQhUzNS1qCgPK FjfnosOkkGmm51RrPcHCLcjBjhWn4oHZ93NUoTW1hdl6ERc6a6c=


END NEW CERTIFICATE REQUEST-----

To turn that into a certificate, you'll need to paste it into the web form of your favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some money from you and return a certificate.

The cert will be in a file foo.crt - to install it, you'll do this:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file foo.crt -storepass zimbra

Once that's done, copy /opt/zimbra/ssl/ssl/commercial.keystore to /opt/zimbra/tomcat/conf/keystore and restart tomcat.


Unverified Commercial SSL Cert Install Procedure

Jetty

Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates.

Delete Existing Certs

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Add the CA certificate

keytool -import -keystore /path/to/keystore -import -trustcacerts -file /path/to/cacert.cer

Commercial SSL Certificates for Tomcat / Java

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Convert your certificate and key files to a combined PKCS12 format certificate:

openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12

Convert the PKCS12 certificate to a Java Keystore format (JKS):

java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore

Note: make sure to set to the keystore password to whatever Zimbra expects (usually "zimbra")

Clone the new keystore certificate stored under the alias "1" to the alias "tomcat":

keytool -keystore keystore -keyclone -alias 1 -dest tomcat

Delete the certificate stored under the "1" alias:

keytool -delete -alias 1 -keystore keystore

Commercial SSL Certificates for Postfix

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Decrypt the certificate key:

openssl rsa -in file.key -out file.key.decrypted

Move the cert and decrypted key into place:

mv file.crt /opt/zimbra/conf/smtpd.crt
mv file.key.decrypted /opt/zimbra/conf/smtpd.key

QuickSSL References

  1. QuickSSL Homepage
  2. QuickSSL Knowledgebase - search for tomcat installation.
Jump to: navigation, search