4.x Commercial Certificates Guide

Revision as of 03:26, 21 October 2007 by Bwlang (talk | contribs) (added 5.0 changes)

General Commercial SSL Certificate Procedure (Please read and understand this first)

Using a pre-existing certificate from another server

If you already have an "apache style" PEM or DER format certificate for this server hostname, and want to re-use it, this forum thread has been condensed to the PEM format certificate conversion section below.

1. Generate a CSR for tomcat

A. Create a commercial keystore

Note: Make sure you create a new file; if there is already a commercial.keystore, rename it or use a different name for these steps.

su - zimbra
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Use "zimbra" for the keystore password, and the hostname of your server for the first/last name. Note: In versions of ZCS up to and including 4.5.6, you must use "zimbra" for the keystore password; starting with ZCS 4.5.7, this will be configurable through the zmlocalconfig parameter tomcat_keystore_password. If your organization is Acme Co in San Francisco CA, with the zimbra mail server mailhost.domain.com, the process will look like this:

  zimbra@mailhost$ keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
  Enter keystore password:  zimbra
  What is your first and last name?
    [Unknown]:  mailhost.domain.com
  What is the name of your organizational unit?
    [Unknown]:  Acme Co
  What is the name of your organization?
    [Unknown]:  Acme Co
  What is the name of your City or Locality?
    [Unknown]:  San Francisco
  What is the name of your State or Province?
    [Unknown]:  California
  What is the two-letter country code for this unit?
    [Unknown]: US
  Is CN=mailhost.domain.com, OU=Acme Co, O=Acme Co, L=San Francisco, ST=CA, C=US correct?
    [no]:  y
  Enter key password for <tomcat>
         (RETURN if same as keystore password):

B. Create the certificate request file

Remember the password is "zimbra"; this should all be on one line:

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

The result is in the file commercial.csr:

cat /opt/zimbra/ssl/ssl/commercial.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBsTCCARoCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDTALBgNVBAcT
BEhlcmUxEDAOBgNVBAoTB0NvbXBhbnkxEDAOBgNVBAsTB0NvbXBhbnkxGjAYBgNVBAMTEW15aG9z
dC5kb21haW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGFzdhsPg/h5qtpkd9F4wB
IIiajDCLEgfbbwUgBaCb8XiZ6KQEb7cJXrqBqNtJsEPghtLsV52YDmHcNruKWEFRPJdJBM8gHR7p
cFHjYcKJyCa77yhBILqg3iNenRTJNIUXVYzwuBJsa2QWbp8dDbRU5aEn3seFGY/FkeA44KA9UwID
AQABoAAwDQYJKoZIhvcNAQEEBQADgYEAb/nHJZxNpJsP6b2PHVubljRKyxyHDbAopvMLHAgkRxH8
OWOgG/yRJ5Q28csCDAQc/5+Rp/Fn0YDxyqgiAHqQRwCz4QcUSgLSGRijsjNzWhGtQhUzNS1qCgPK
FjfnosOkkGmm51RrPcHCLcjBjhWn4oHZ93NUoTW1hdl6ERc6a6c=
-----END NEW CERTIFICATE REQUEST-----

2. Acquire and install the certificate

Note: You may want to save your existing certs; see the "Back up existing certificates" section of the Cert Issues page.

A. Submit the CSR to the certificate authority of choice

To turn that into a certificate, you'll need to paste it into the web form of your favorite certificate vendor (verisign.com, godaddy, etc.) and they'll take some money from you and return a certificate as a file we'll call my.crt.

B. Import the cert into the commercial keystore

Note: Make sure to make a copy of the "commercial.keystore" after generating the CSR. If you end up damaging this file without backing it up, it will be necessary to submit a new CSR to the Certificate Authority.

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra

Note: If this returns the error "keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data", you may need to convert the certificate from PEM-encoded to DER-encoded. Keep in mind that default encoding for OpenSSL is PEM (ie. a OpenSSL produced signed cert will produce error above upon import).

If the signed certificate is successfully installed, the command will return "Certificate reply was installed in keystore".

C. Copy the commercial keystore over the zimbra tomcat keystore

Note: This will overwrite the keystore currently in place.'

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
tomcat restart

Voila! the commercial cert is installed for tomcat.

D. Extract the private key for use with postfix, perdition, ldap

The certificate install process so far only applies to the Zimbra services handled by tomcat (https, ssl pop, ssl imap). In order to use the certificate for other Zimbra network services (postfix/smtp, imapproxy, etc), you'll need to follow steps below. There are four steps: 1. Export the private key from the keystore, 2. Decrypt the private key, 3. Append any intermediate certs, 4. Copy the certificate and key files into place. Those with a Zimbra Support contract may contact support to handle steps 1 and 2.

1. In this case you have to get the key from /opt/zimbra/ssl/ssl/commercial.keystore (this can be a bit complicated.) More complete instructions at Mark Foster's page, or here is an abbreviated version that will work on most UN*Xes:

wget http://mark.foster.cc/pub/java/ExportPriv.java
javac ExportPriv.java
java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > my.key

2. Decrypt the private key.

openssl rsa -in my.key -out my.key.dec

3. Append any intermediate certificates to your the certificate file.

If you have a certificate that requires an intermediate certificate or certificates, append the intermediate certificate(s) to the end of my.crt. Otherwise the certificate chain will be incomplete. You may need to download these certs from the CA; GoDaddy, for example, sends two intermediate crt's in a zip file (gd_cross_intermediate.crt and gd_intermediate.crt). If you have two intermediate certificates ca_int1.crt and ca_int2.crt from the CA, add them to the cert as follows.

keytool -export -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -file exported.crt

openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der

cat exported-pem.crt ca_int1.crt ca_int2.crt >> my.crt

4. Install your key and crt for other apps.

cp my.crt /opt/zimbra/conf
cp my.key.dec /opt/zimbra/conf/my.key
cd /opt/zimbra/conf
chmod 444 my.crt
chmod 400 my.key
chown zimbra:zimbra my.crt
chown zimbra:zimbra my.key
ln -s my.crt smtpd.crt
ln -s my.key smtpd.key
ln -s my.crt slapd.crt
ln -s my.key slapd.key
ln -s my.crt perdition.pem
ln -s my.key perdition.key

Note: You'll need to restart any services that use the certificates in order for the new certificate to be used.


CACert SSL Certificate Procedure

For those who would like to use CACert signed certificate for their Zimbra.

Add CACert's Root CA certificates

Remove the self signed CA.

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Download CACert's Root CAs from Class 1 PKI Key and Class 3 PKI Key and save them to a file.

Import these two CAs into Java.

keytool -import -alias cacertclass1ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file root.crt
keytool -import -alias cacertclass3ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file class3.crt

Generate a CSR for tomcat

Same as in case of Generate a CSR for tomcat.

Submit the CSR to CACert certificate authority

  • Login to CACert.
  • Select "Server Certificates" or "Org Server Certs" New
  • Paste the content of your /opt/zimbra/ssl/ssl/commercial.csr and Submit it.
  • Copy the content between the begin and end marker (including them)
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

into a file my.crt.

Install your new CRT

Note: You may want to save your existing certs; see the "Back up existing certificates" section of the Cert Issues page.

Import the new CRT

Import the new CRT into the commercial keystore.

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file my.crt -storepass zimbra

Copy it into tomcat.

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

The same if you are renewing a CACert certificate (and probably any certificate). Just import it, DO NOT DELETE the old one from the keystore as it will delete the root CA reference also. By just importing the renewed certificate the root CA in the chain is preserved. To see the certificates in your chain do:

keytool -list -v -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

You can use the same CRT for other services.

See step 2D of the general certificate process.


PEM Format Commercial SSL Cert Install Procedure

Jetty

Download the Jetty package, as it contains a useful class that can convert PKCS12 format certificates to JKS format certificates. Version 5.1.x of Jetty is recommended.

Delete Existing Certs

delete the self generated CA from java's list of trusted CA certs

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

for 4.x, delete the private key for tomcat

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

for 5.0rc1, delete jetty's private key

you'll have to look up the keystore's password

zmlocalconfig -s mailboxd_keystore_password
keytool -delete -alias jetty -keystore /opt/zimbra/jetty/etc/keystore -storepass YOURPASSHERE

Add the CA certificate to java's list of trusted certs

keytool -import -alias YOUR_CA_NAME -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /PATH/TO/YOUR/CACERT

Commercial SSL Certificates for Tomcat / Java

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Convert your certificate and key files to a combined PKCS12 format certificate:

openssl pkcs12 -inkey /path/to/file.key -in /path/to/file.crt -export -out file.pkcs12

When prompted for an export password, use zimbra.

Convert the PKCS12 certificate to a Java Keystore format (JKS):

for 4.x (you'll have to find a copy of jetty somewhere or do this conversion some other way)

java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore

Note: make sure to set to the keystore password to whatever Zimbra expects ("zimbra") for 5.0rc1 jetty is already installed

java -cp /opt/zimbra/jetty/lib/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import yourfile.pkcs12 keystore

Note: set the password to the value you looked up above


Identify the alias that was imported (may be "1" or it might be something else, depends on how the pkcs12 file was made)

keytool -keystore keystore -list 

Clone the new keystore certificate stored under youralias to the alias "tomcat":

for 4.x

keytool -keystore keystore -keyclone -alias youralias -dest tomcat

for 5.0rc1

keytool -keystore keystore -keyclone -alias youralias -dest jetty

keep the password you selected above.

Delete the certificate stored under youralias:

keytool -delete -alias youralias -keystore keystore


Alternative: Use this source to directly create a keystore without having to download jetty. This only works for 4.x

- Tip: when creating file.pkcs12, set "zimbra" as password.

- First, replace "file.pkcs12" in source code with the name of the certificate you created and compile by executing:

export CLASSPATH=/opt/zimbra/java/lib/tools.jar:.
/opt/zimbra/java/bin/javac AddCertToKeystore.java

- Second, execute newly created .class file to generate new keystore (called keystore-new)

/opt/zimbra/java/bin/java AddCertToKeystore

- Copy new keystore-new to /opt/zimbra/tomcat/conf/keystore. I suggest to backup your old keystore before.

- Restart tomcat.

Source code for AddCertToKeystore.java

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.Certificate;
import java.util.Enumeration;

class AddCertToKeystore {
    public static void main(String[] args) throws Exception {
        if (args.length < 2) {
            System.err.println("Usage: AddCertToKeystore <pkcs12_file> <keystore_file>");
            System.exit(1);
        }
        String pkcs12_file = args[0];
        String keystore_file = args[1];

        Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

        // Load the pfx file containing Certificate + Private Key
        KeyStore temp = KeyStore.getInstance("PKCS12", "SunJSSE");
        temp.load(new FileInputStream(pkcs12_file), "zimbra".toCharArray());

        // Create a new Keystore
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, "zimbra".toCharArray());

        // Find the alias name of the certificate from the pfx file
        Enumeration aliasNames = temp.aliases();
        String alias = (String) aliasNames.nextElement();

        // Get the certificate chain from .pfx
        Certificate c[] = temp.getCertificateChain(alias);
        Key key = temp.getKey(alias, "zimbra".toCharArray());

        // Store the Private Key + Certificate Chain in the Keystore
        keyStore.setKeyEntry("tomcat", key, "zimbra".toCharArray(), c);

        // Create the Keystore
        keyStore.store(new FileOutputStream(keystore_file), "zimbra".toCharArray());
    }
}

Commercial SSL Certificates for Postfix

If you receive your certificates in the more or less standard PEM format, you need to do the following:

Decrypt the certificate key:

openssl rsa -in file.key -out file.key.decrypted

Move the cert and decrypted key into place:

mv file.crt /opt/zimbra/conf/smtpd.crt
mv file.key.decrypted /opt/zimbra/conf/smtpd.key

Extracting a .key from your jks Keystore

If you followed any of the instructions, ie: the GeoTrust Instructions, which involve using the jks keystore, you will only have a .pem/.crt file and no .key file to use with postfix (or anything else which requires the pair of files). There is no builtin way to extract the .key from the keystore, but there is still a way to do it.
There are simplified instructions for doing this here, and more detailed ones for this and other scenarios here. Additionally I created a forum post with the source code from the java program, duplicate instructions and attached the java program to the forum in case the other sites went down.
The forum post is here: Exporting private key from keystore for use with Postfix/Apache.
Summary (from first link):

Here is a summary of the steps needed to export a private key Download ExportPrivateKey.zip (original link / mirror in Zimbra forums)

WARNING: These commands result in files being output. Do not accidentally overwrite an existing file you need. Please make sure you name the output files accordingly.

Invoke:

java -jar ExportPrivateKey.zip {keystore_path} JKS {keystore_password} {alias} {target_file}

This would export the key to PKCS #8 PEM format. Now run openssl to convert it to the format apache modssl expects the file in:

openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

How we used it to get Postfix working:

# Export the tomcat key (from the tomcat csr request) in pkcs8 format
java -jar ExportPrivateKey.zip /opt/zimbra/tomcat/conf/keystore JKS zimbra tomcat /opt/zimbra/ssl/ssl/server/tomcat-pkcs8.key
# Convert the pkcs8 formatted key to a non binary one
openssl pkcs8 -inform PEM -nocrypt -in /opt/zimbra/ssl/ssl/server/tomcat-pkcs8.key -out /opt/zimbra/ssl/ssl/server/tomcat.key
# Copy the tomcat.key and tomcat.pem to overwrite the default self signed smtpd ones
cp /opt/zimbra/ssl/ssl/server/tomcat.key /opt/zimbra/conf/smtpd.key
cp /opt/zimbra/ssl/ssl/server/tomcat.pem /opt/zimbra/conf/smtpd.crt
# Restart Zimbra (or just Postfix if you choose)
su zimbra
zmcontrol stop
zmcontrol start

For additional information and ways of testing whether it was successful or not please visit the forum post (Exporting private key from keystore for use with Postfix/Apache).

QuickSSL References

  1. QuickSSL Homepage
  2. QuickSSL Knowledgebase - search for tomcat installation.

GoDaddy Instructions

(You will be prompted for passwords. Use zimbra for all passwords)

1. Create keystore:

su - zimbra

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

2. Create CSR (you are creating the commercial.csr file):

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Note: when it asks you for your first and last name use the common name of your server. For example, if you will ultimately use zimbra.company.com as the URL then that is your common name.

3. Open the contents of the commercial.csr file and copy and paste into GoDaddy's CSR submission form.

4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.

5. Import intermediate and root certs from GoDaddy. The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go

To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt

Note: As of 4/2/2007 - Using RHEL 4 with all updates the Root cert was not needed.

Update: 4/2/2007 - Go to this page: https://certificates.godaddy.com/Repository.go Download the gd_cross_intermediate.crt. You should have received gd_intermediate.crt as part of the zip file from GoDaddy. You will need the cross and the intermediate certificates in order to create the "chain".

To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt

To import the cross cert: keytool -import -alias cross -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_cross_intermediate.crt

6. Import digital cert into keystore:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra

7. Copy the keystore to zimbra Tomcat keystore:

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

8. Tomcat restart

9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.

10. To use your certificate for other services, follow the instructions above under "You can use the same CRT for other services".

GeoTrust Instructions

For all those having difficulties with the instructions at the top of this page maybe this will help. This was done for Zimbra 4.5 using some of the included scripts for certificate handling.

1. ***Backup Your Keystore***

    sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak

2. su zimbra

3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)

#!/bin/bash
source /opt/zimbra/bin/zmshutil || exit 1
zmsetvars

CONF=/opt/zimbra/conf
TCONF=/opt/zimbra/tomcat/conf
B=/opt/zimbra/ssl
BASE=${B}/ssl

JAVA_HOME=${zimbra_java_home}
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then
        CACERTS=${JAVA_HOME}/lib/security/cacerts
else
        CACERTS=${JAVA_HOME}/jre/lib/security/cacerts
fi


TOMCAT=/opt/zimbra/tomcat/conf

rm -rf ${BASE}/newCA
mkdir -p ${BASE}/ca
mkdir -p ${BASE}/newCA/newcerts
touch ${BASE}/newCA/index.txt
mkdir -p ${BASE}/cert
mkdir -p ${BASE}/server

mkdir -p ${TCONF}

hostname=***Set this to your full domain name mail.domain.com***

if [ "x$1" != "x" ]; then
        hostname=$1
        shift;
fi

createConf() {
        ALTNAMES=""
        for alt in $*; do
                if [ "x$ALTNAMES" = "x" ]; then
                        ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"
                else
                        ALTNAMES="${ALTNAMES},DNS:${alt}"
                fi
        done
        cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \
                -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf
}


createKeyStore() {

        echo "** Creating keystore"
        echo

        rm -f ${TCONF}/keystore

        keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \
                -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \
                -storetype JKS -storepass zimbra -keypass zimbra

}

createCertReq() {

        echo "** Creating server cert request"
        echo

        openssl req -new -nodes -out ${BASE}/server/server.csr \
                -keyout ${BASE}/server/server.key -newkey rsa:1024 \
                -config ${BASE}/zmssl.cnf -batch

        keytool -certreq -keyalg RSA -alias tomcat -file \
                ${BASE}/server/tomcat.csr -keystore \
                ${TCONF}/keystore -storepass zimbra

        cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$
        cat /tmp/tomcat.csr.$$ | sed -e \
                's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \
                > ${BASE}/server/tomcat.csr

}

signCertReq() { 
        echo "** Signing cert request"
        echo

        openssl ca -out ${BASE}/server/server.crt -notext \
                -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \
                -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch

        cp ${BASE}/server/server.crt ${CONF}/slapd.crt
        cp ${BASE}/server/server.key ${CONF}/slapd.key
        cp ${BASE}/server/server.crt ${CONF}/perdition.pem
        cp ${BASE}/server/server.key ${CONF}/perdition.key
        mkdir -p ${CONF}/ca
        cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key
        cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem
}

createConf $@

createKeyStore

createCertReq

signCertReq

chmod -R 700 ${B}

4. Run this newly created script

Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.

5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem

6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt

This will convert the certificate into binary DER format which keytool likes.

You will also need to download the root ca from Geotrust this can be found at

    www.geotrust.com/resources/root_certificates/index.asp
         - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format
         - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format

7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt

8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)

9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra

11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)

12. If all went as planned you should now be able to access https://your.mailsite.com

13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.

14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.

         - su zimbra
         - /opt/zimbra/bin/zmcreateca
         - /opt/zimbra/bin/zmcreatecert
         - /opt/zimbra/bin/zmcertinstall

15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)

      /opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
  • Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.

Mac OSX Note

In order for any changes on this page to go into the appropriate cacerts keystore, the following two paths must be exchanged in order to add the cert to the java trustedcerts...

Linux standard (from doc): /opt/zimbra/java/jre/lib/security/cacerts

OS X location: /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

For example, the command to add a GoDaddy root cert from Valicert to the cacerts keystore would look like:

keytool -import -alias tomcat -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -trustcacerts -file /opt/zimbra/ssl/<your ssl root_keys path>/valicert_class2_root.crt -storepass changeit

Relevant Documents

  1. Apache Jakarta Tomcat documentation
Jump to: navigation, search