Difference between revisions of "5.x Commercial Certificates Guide"

(Thawte SSL Certificate (SSL123 format): Created new article from this content, removed content from this article)
(Certificate Upgrade Issues: Creating new article from this content, removing this content from article)
Line 32: Line 32:
 
  (b) zmcontrol stop ; zmcontrol start
 
  (b) zmcontrol stop ; zmcontrol start
  
=Certificate Upgrade Issues=
 
If you are upgrading from 4.5x to 5.0.x and the cert failed to upgrade successfully, you need to re-install the cert.  You will need these pieces:
 
  
#The private key. This can be extracted from the Tomcat keystore.  Zimbra Support can help with this process if you send the Tomcat keystore.
 
#The server certificate
 
#The chain cert files
 
 
With these pieces in hand, we can use the zmcertmgr to install the certificate as explained in [[#Importing commercial certificates from other mail systems to Zimbra 5.x]].
 
 
Check to make sure that only the jetty alias exists in the keystore.
 
 
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass  `zmlocalconfig -s -m nokey mailboxd_keystore_password`
 
 
Delete the tomcat alias, if exists, with the following command.
 
 
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
 
  
 
=Importing commercial certificates from other mail systems to Zimbra 5.x=
 
=Importing commercial certificates from other mail systems to Zimbra 5.x=

Revision as of 23:45, 17 September 2008

General Overview

Installing a commercial certificate in ZCS version 5.0.0_GA and above is a straightforward process. The following is an overview of the steps you will take to install a commercial certificate.

  1. Generate a CSR via the Administration Console>Certificates or via the zmcertmgr command line utility.
  2. Receive the signed certificate.
  3. Receive the chain_certificates (if applicable).
  4. Install the certificate.

TOOLS

Admininstration Console>Certificates

This is the preferred method for installing commercial certificates. You simply start the Wizard and upload all the cert files and restart the Zimbra Services.

At the moment (8/26/08), according to Zimbra support, the web interface only supports having "one csr/private key at a time. Generating a new csr overrides the existing one and generates a new private key. If you want to generate more than one csr:

- you simply generate the first one which is downloaded to
 /opt/zimbra/ssl/zimbra/commercial directory (commercial.csr and commercial.key)
- move both files aside
- generate the second csr which would download to the same location above"

/opt/zimbra/bin/zmcertmgr

If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line.

Note: This tool must be run as root.

It requires the following:

  • The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740.
  • The server certificate and the chain cert files must exist in a temp directory. E.g. /root/certs
  • The server cert must be named commercial.crt.
  • The chain cert files must be concatenated into one file called commercial_ca.crt.
  • Verify that the cert and the key match using this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
  • From the temp directory, deploy the cert and restart the zimbra services.
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
(b) zmcontrol stop ; zmcontrol start


Importing commercial certificates from other mail systems to Zimbra 5.x

The steps are the same as the ones under #/opt/zimbra/bin/zmcertmgr.




Troubleshooting

For troubleshooting certificate issues, see Category:Troubleshooting Certificates.

Misc

  • Inspect your CSR
openssl req -in <server.csr> -noout -text
  • Inspect your certificate
openssl x509 -in <server.crt> -noout -text
  • Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
  • Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
  • Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  • View deployed certificate via the command line
 sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  • Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Verified Against: Zimbra Collaboration Suite 5.x Date Created: 1/16/2008
Article ID: https://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide Date Modified: 2008-09-17



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search