|
|
(30 intermediate revisions by 11 users not shown) |
Line 1: |
Line 1: |
| =General Overview=
| | {{Archive}}{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}'''''Important:''' See [[Administration Console and CLI Certificate Tools]] before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.'' |
| Installing a commercial certificate in ZCS version 5.0.0_GA and above is a straightforward process. The following is an overview of the steps you will take to install a commercial certificate.
| |
| #Generate a CSR via the '''Administration Console>Certificates''' or via the '''zmcertmgr''' command line utility.
| |
| #Receive the signed certificate.
| |
| #Receive the chain_certificates (if applicable).
| |
| #Install the certificate.
| |
| =TOOLS=
| |
| ==Admininstration Console>Certificates==
| |
| This is the preferred method for installing commercial certificates. You simply start the Wizard and upload all the cert files and restart the Zimbra Services.
| |
|
| |
|
| At the moment (8/26/08), according to Zimbra support, the web interface only supports having "one csr/private key at a time. Generating a new csr overrides the existing one and generates a new private key. If you want to generate more than one csr:
| | ==Administration and CLI Tools== |
| - you simply generate the first one which is downloaded to
| | Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see [[Administration Console and CLI Certificate Tools]]. |
| /opt/zimbra/ssl/zimbra/commercial directory (commercial.csr and commercial.key)
| |
| - move both files aside
| |
| - generate the second csr which would download to the same location above"
| |
|
| |
|
| ==/opt/zimbra/bin/zmcertmgr== | | ==Preexisting Certificates== |
| If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line. | | If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: [[Preexisting Certifcate Installation for Zimbra 6.0]] |
|
| |
|
| '''''Note:''' This tool must be run as root.''
| | ==Third Party Certificate Articles== |
| | The following third party certificates have their own Wiki articles with installation instructions. |
|
| |
|
| It requires the following:
| | ===StartSSL=== |
| | See [[Installing a StartSSL SSL Certificate with zmcertmgr]]. |
|
| |
|
| *The private key must exist in '''/opt/zimbra/ssl/zimbra/commercial''' directory and must be named '''commercial.key''' with permission set to '''740'''.
| | ===Comodo SSL=== |
| *The server certificate and the chain cert files must exist in a temp directory. E.g. '''/root/certs'''
| | See [[Installing a Comodo SSL Certificate with zmcertmgr]]. |
| *The server cert must be named '''commercial.crt'''.
| |
| *The chain cert files must be concatenated into one file called commercial_ca.crt.
| |
| *Verify that the cert and the key match using this command:
| |
| /opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
| |
| *From the temp directory, deploy the cert and restart the zimbra services.
| |
| (a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
| |
| (b) zmcontrol stop ; zmcontrol start
| |
|
| |
|
| =Certificate Upgrade Issues= | | ===DigiCert=== |
| If you are upgrading from 4.5x to 5.0.x and the cert failed to upgrade successfully, you need to re-install the cert. You will need these pieces:
| | See [[Installing DigiCert commercial certificates]]. |
|
| |
|
| #The private key. This can be extracted from the Tomcat keystore. Zimbra Support can help with this process if you send the Tomcat keystore.
| | ===Gandi=== |
| #The server certificate
| | See [[Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x]] |
| #The chain cert files
| |
|
| |
|
| With these pieces in hand, we can use the zmcertmgr to install the certificate as explained in [[#Importing commercial certificates from other mail systems to Zimbra 5.x]].
| | ===GeoTrust Certificate=== |
| | See [[Installing_a_GeoTrust_Commercial_Certificate]] |
|
| |
|
| Check to make sure that only the jetty alias exists in the keystore.
| | ===GlobalSign Certificate=== |
| | See [[Installing a GlobalSign Commercial Certificate]] |
|
| |
|
| keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
| | ===GoDaddy Certificate=== |
| | See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]]. |
|
| |
|
| Delete the tomcat alias, if exists, with the following command.
| | ===IPSCA Certificate=== |
| | See [[Installing_a_IPSCA_Commercial_Certificate]] |
|
| |
|
| keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
| | ===Network Solutions Certificate=== |
| | See [[Installing a Network Solutions Certificate on ZCS 5.0.x]]. |
|
| |
|
| =Importing commercial certificates from other mail systems to Zimbra 5.x= | | ===RapidSSL Certificate=== |
| The steps are the same as the ones under [[#/opt/zimbra/bin/zmcertmgr]].
| | See [[Installing_a_RapidSSL_Commercial_Certificate]] |
|
| |
|
| =GoDaddy Certificate in 5.x= | | ===Thawte SSL Certificate (SSL123 format)=== |
| Assuming the following is correct:
| | See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]]. |
| *This is a new certificate.
| |
| *You generated the CSR via the Administration Console.
| |
| *You sent the CSR to get it signed and you received the following files:
| |
| **gd_cross_intermediate.crt
| |
| **gd_intermediate.crt
| |
| **<server_name>.crt
| |
| **gd_bundle.crt
| |
| *The '''/opt/zimbra/ssl/zimbra/commercial''' has two files:
| |
| **commercial.key
| |
| **commercial.crt
| |
|
| |
|
| You can install the certificate by logging in to the Administration Console and uploading the following files.
| | ===Verisign=== |
| *RootCA
| | See [[Installing a Verisign Test Certificate on Zimbra Server]]. |
| *gd_cross_intermediate.crt
| |
| *gd_intermediate.crt
| |
| *<server_name>.crt
| |
|
| |
|
| Once you have uploaded these files, restart Zimbra services.
| | See [[Installing a Verisign Secure Site Certificate]]. |
|
| |
|
| =Network Solutions Certificate= | | ==Troubleshooting== |
| 1. Rename the <server_name.crt> file to '''commercial.crt''' and place it in the '''/opt/zimbra/ssl/zimbra/commercial'''
| | If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category. |
| 2. chmod 700 commercial.crt
| |
| 3. Concatenate the chain files into one file and call it '''commercial_ca.crt'''
| |
| cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt >> commercial_ca.crt
| |
| 4. cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial
| |
| chmod 700 commercial_ca.crt
| |
| 5. Run a check against the cert files.
| |
| /opt/zimbra/bin/zmcertmgr verifycrt comm
| |
| 6. At this point and if the output looks promising, go ahead and deploy the cert.
| |
| /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
| |
| 7. Restart the Zimbra services.
| |
| su - zimbra
| |
| zmcontrol stop
| |
| zmcontrol start
| |
| 8. Verify that the Web interface is loading correctly with the new certificate.
| |
| | |
| '''''Note:''' This assumes that you have the private key in '''/opt/zimbra/ssl/zimbra/commercial''' named as '''commercial.key''' with the correct permissions.''
| |
| | |
| | |
| =Thawte SSL Certificate (SSL123 format)= | |
| 1. Generate the CSR from admin console and get it signed by Thawte in .pem format. Save the cert in /opt/zimbra/ssl/zimbra/commercial and rename it to commercial.crt . This directory should also contain commercial.key, which was generated at the time of CSR creation.
| |
| | |
| 2. Download ThawteServerCA_b64.txt and save it at /opt/zimbra/ssl/zimbra/commercial
| |
| | |
| 3. Run following commands as root:
| |
| | |
| cd /opt/zimbra/ssl/zimbra/commercial/
| |
| /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt ThawteServerCA_b64.txt
| |
| | |
| If output of above commands looks good, proceed to install the certificate.
| |
|
| |
| /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ThawteServerCA_b64.txt
| |
| | |
| 4. Restart the Zimbra services.
| |
| su - zimbra
| |
| zmcontrol stop
| |
| zmcontrol start
| |
| | |
| 5. Verify that the Web interface is loading correctly with the new certificate.
| |
| | |
| | |
| =Install Verisign Test Certificate on Zimbra Server=
| |
| See [[Installing a Verisign Test Certificate on Zimbra Server]]
| |
| | |
| =Troubleshooting=
| |
| For troubleshooting certificate issues, please see [[:Category:Troubleshooting Certificates]].
| |
|
| |
|
| =Misc= | | =Misc= |
Line 146: |
Line 76: |
|
| |
|
| [[Category: Certificates]] | | [[Category: Certificates]] |
| [[Category: Troubleshooting]] | | [[Category: ZCS 5.0]] |
| | [[Category: SSL/TLS]] |
- This is archive documentation, which means it is not supported or valid for recent versions of Zimbra Collaboration.
Article Information
|
This article applies to the following ZCS versions.
ZCS 5.0
|
Important: See Administration Console and CLI Certificate Tools before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.
Administration and CLI Tools
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see Administration Console and CLI Certificate Tools.
Preexisting Certificates
If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: Preexisting Certifcate Installation for Zimbra 6.0
Third Party Certificate Articles
The following third party certificates have their own Wiki articles with installation instructions.
StartSSL
See Installing a StartSSL SSL Certificate with zmcertmgr.
Comodo SSL
See Installing a Comodo SSL Certificate with zmcertmgr.
DigiCert
See Installing DigiCert commercial certificates.
Gandi
See Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x
GeoTrust Certificate
See Installing_a_GeoTrust_Commercial_Certificate
GlobalSign Certificate
See Installing a GlobalSign Commercial Certificate
GoDaddy Certificate
See Installing a GoDaddy Commercial Certificate on ZCS 5.0.x.
IPSCA Certificate
See Installing_a_IPSCA_Commercial_Certificate
Network Solutions Certificate
See Installing a Network Solutions Certificate on ZCS 5.0.x.
RapidSSL Certificate
See Installing_a_RapidSSL_Commercial_Certificate
Thawte SSL Certificate (SSL123 format)
See Installing a Thawte SSL Certificate on ZCS 5.0.x.
Verisign
See Installing a Verisign Test Certificate on Zimbra Server.
See Installing a Verisign Secure Site Certificate.
Troubleshooting
If you are experiencing issues installing, viewing, or managing your certificates, see the Category:Troubleshooting Certificates category.
Misc
openssl req -in <server.csr> -noout -text
openssl x509 -in <server.crt> -noout -text
- Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
- Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
- View deployed certificate via the command line
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Try Zimbra
Try Zimbra Collaboration with a 60-day free trial.
Get it now »
Want to get involved?
You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »
Looking for a Video?
Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »