|
|
(121 intermediate revisions by 21 users not shown) |
Line 1: |
Line 1: |
| =I) General Overview =
| | {{Archive}}{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}'''''Important:''' See [[Administration Console and CLI Certificate Tools]] before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.'' |
| Installing a commercial certificates in zcs version 5.0.0_GA and above is a straight forward process once we have all the required pieces:
| |
| (a) generating a csr via the admin console>certificates or via the zmcertmgr command line utility.
| |
| (b) receiving the signed certificate.
| |
| (c) receiving the chain_certificates (if applicable).
| |
| (d) install the certificate.
| |
|
| |
|
| Since 5.x release, our field experience shows that certificate problems come from one of the following
| | ==Administration and CLI Tools== |
| (1) Our upgrade script fails to upgrade the 4.5x certificate properly. | | Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see [[Administration Console and CLI Certificate Tools]]. |
| (2) Missing a piece of the buzzle, especially the chain certificates.
| |
| (3) Private key and certificate mismatch due, in most cases, to generating the csr more than one time without submitting the lastest csr to the CA provider.
| |
| (4)A bug in the code.
| |
|
| |
|
| = Certificate Upgrade issues= | | ==Preexisting Certificates== |
| | If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: [[Preexisting Certifcate Installation for Zimbra 6.0]] |
|
| |
|
| If you are upgrading from 4.5x to 5x and the cert failed to upgrade successfully, you need to re-instal the cert. We need these pieces:
| | ==Third Party Certificate Articles== |
| (1) the private key, this can be extracted from the tomcat keystore and we can help with this process if you send us the tomcat keystore.
| | The following third party certificates have their own Wiki articles with installation instructions. |
| (2) the server certificate
| |
| (3) the chain cert files
| |
| (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in section (b) of TOOLS.
| |
|
| |
|
| Check to make sure that only the jetty alias exists in the keystore
| | ===StartSSL=== |
| | See [[Installing a StartSSL SSL Certificate with zmcertmgr]]. |
|
| |
|
| <span style="background-color:green;color:white">keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`</span>
| | ===Comodo SSL=== |
| | See [[Installing a Comodo SSL Certificate with zmcertmgr]]. |
|
| |
|
| Delete the tomcat alias, if exists, with this command:
| | ===DigiCert=== |
| | See [[Installing DigiCert commercial certificates]]. |
|
| |
|
| <span style="background-color:green;color:white">keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`</span>
| | ===Gandi=== |
| | See [[Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x]] |
|
| |
|
| =5.0.1_GA and later= | | ===GeoTrust Certificate=== |
| Obtain your commercial certificate from your provider.
| | See [[Installing_a_GeoTrust_Commercial_Certificate]] |
|
| |
|
| '''''Note:''' You will also need the root CA and any intermediaries that the provider uses in PEM format.''
| | ===GlobalSign Certificate=== |
| | See [[Installing a GlobalSign Commercial Certificate]] |
|
| |
|
| Concatenate the root and intermediary files into a single file for use with '''zmcertmgr'''.
| | ===GoDaddy Certificate=== |
|
| | See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]]. |
| (a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file>
| |
| (b) zmcontrol stop ; zmcontrol start
| |
|
| |
|
| | ===IPSCA Certificate=== |
| | See [[Installing_a_IPSCA_Commercial_Certificate]] |
|
| |
|
| =4.5x to 5.x failed cert= | | ===Network Solutions Certificate=== |
| | See [[Installing a Network Solutions Certificate on ZCS 5.0.x]]. |
|
| |
|
| Check whether the tomcat alias still exist in the keystore. You can check with this command:
| | ===RapidSSL Certificate=== |
| | See [[Installing_a_RapidSSL_Commercial_Certificate]] |
|
| |
|
| keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
| | ===Thawte SSL Certificate (SSL123 format)=== |
| | See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]]. |
|
| |
|
| If the above command returns two aliases (tomcat and jetty), please delete the tomcat alias with this command:
| | ===Verisign=== |
| | See [[Installing a Verisign Test Certificate on Zimbra Server]]. |
|
| |
|
| keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
| | See [[Installing a Verisign Secure Site Certificate]]. |
|
| |
|
| If there are any errors from the above command, please send it to support@zimbra.com. | | ==Troubleshooting== |
| | If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category. |
|
| |
|
| =Importing commercial certificates from other mail systems to Zimbra 5.x= | | =Misc= |
| | *Inspect your CSR |
| | openssl req -in <server.csr> -noout -text |
|
| |
|
| If we have all the necessary pieces, you should be able to bring your commercial cert to Zimbra.
| | *Inspect your certificate |
| | openssl x509 -in <server.crt> -noout -text |
|
| |
|
| You need the following:
| | *Clear the passphrase of the private key |
| #The private key in a decrypted format
| | openssl rsa -in <server.key> -out <server.key.decr> |
| #All the cert files you received from the CA (intermediate and rootca)
| |
| #Make sure the Zimbra hostname is the same as the one on the cert
| |
|
| |
|
| Here are the steps:
| | *Get Jetty keystore password |
| #Place your private key in '''/opt/zimbra/ssl/zimbra/commercial''' and name it '''commercial.key'''
| | zmlocalconfig -s -m nokey mailboxd_keystore_password |
| #Make sure commercial.key permission is set to 700 and is owned by root:root
| |
| #Upload the certificate files via the admin console>certificates.
| |
| #Make sure to upload all the certificate files that you received from you CA (rootca,intermediate,...)
| |
|
| |
|
| =GoDaddy Certificate in 5.x=
| | *Create a CSR via the CLI |
| Assuming the following is correct:
| | sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"] |
| *This is a new certificate. | |
| *You generated the csr via the admin console
| |
| *You sent the csr to get it signed and you received the following files:
| |
| **gd_cross_intermediate.crt,
| |
| **gd_intermediate.crt,
| |
| **<server_name>.crt.
| |
| **gd_bundle.crt
| |
| **(Root CA)
| |
| *The '''/opt/zimbra/ssl/zimbra/commercial''' has two files:
| |
| **commercial.key
| |
| **commercial.crt
| |
|
| |
|
| You can install the certificate by logging in to the admin console and uploading these files:
| | *View deployed certificate via the command line |
| *gd_cross_intermediate.crt,
| | sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt |
| *gd_intermediate.crt, | |
| *<server_name>.crt.
| |
| *(Root CA)
| |
| | |
| Once you have uploaded the above files, restart Zimbra services.
| |
| | |
| =Install GoDaddy commercial certificate from the command line=
| |
| | |
| ------------------------------------------------------
| |
| #Download GoDaddy bundle from their primary Repo
| |
| #Reverse the certificate chain, so that your the chain of trust goes from general to specific. (e.g. Root CA, Intermediate, Intermeidate_cross, your cert). Save this file as commercial.crt under '''/opt/zimbra/ssl/zimbra/commercial'''.
| |
| #Copy your private key (must be named '''commercial.key''') to '''/opt/zimbra/ssl/zimbra/commercial'''
| |
| #Copy files to other misc locations:
| |
| cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
| |
| cp commercial.crt /opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt
| |
| cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt
| |
| :5. Install the cert
| |
| /opt/zimbra/bin/zmcertmgr install com
| |
| :6. Restart Zimbra
| |
| | |
| | |
| ----------------------------------------------------------
| |
| This feedback was submitted by Dave Torre from San Mateo Regional Networks.
| |
| Thanks Dave.
| |
| = Network Solutions Certificate=
| |
| | |
| (1) rename this file <server_name.crt> commercial.crt and place it in the /opt/zimbra/ssl/zimbra/commercial
| |
| (2) chmod 700 commercial.crt
| |
| (3) concatenated the chain files into one file and called it commercial_ca.crt
| |
| cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt > commercial_ca.crt
| |
| (4) cp commrecial_ca.crt /opt/zimbra/ssl/zimbra/commercial
| |
| chmod 700 commercial_ca.crt
| |
| | |
| (5)run a check against the cert files
| |
| /opt/zimbra/bin/zmcertmgr verifycrt comm | |
| (6) at this point and if the output looks promising, go ahead and deploy the cert
| |
| /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
| |
| (7) and restarted the zimbra services
| |
| su - zimbra
| |
| zmcontrol stop
| |
| zmcontrol start
| |
| (8)verify that the web interface is loading correctly with the new certificate
| |
| | |
| Note, this assumes that you have the private key in /opt/zimbra/ssl/zimbra/commercial named as commercial.key with the correct permissions.
| |
|
| |
|
| | * Convert the cert format from DER to PEM |
| | openssl x509 -in input.cer -inform DER -out output.cer -outform PEM |
|
| |
|
| {{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}} | | {{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}} |
|
| |
|
| [[Category: Certificates]] | | [[Category: Certificates]] |
| | [[Category: ZCS 5.0]] |
| | [[Category: SSL/TLS]] |
- This is archive documentation, which means it is not supported or valid for recent versions of Zimbra Collaboration.
Article Information
|
This article applies to the following ZCS versions.
ZCS 5.0
|
Important: See Administration Console and CLI Certificate Tools before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.
Administration and CLI Tools
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see Administration Console and CLI Certificate Tools.
Preexisting Certificates
If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: Preexisting Certifcate Installation for Zimbra 6.0
Third Party Certificate Articles
The following third party certificates have their own Wiki articles with installation instructions.
StartSSL
See Installing a StartSSL SSL Certificate with zmcertmgr.
Comodo SSL
See Installing a Comodo SSL Certificate with zmcertmgr.
DigiCert
See Installing DigiCert commercial certificates.
Gandi
See Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x
GeoTrust Certificate
See Installing_a_GeoTrust_Commercial_Certificate
GlobalSign Certificate
See Installing a GlobalSign Commercial Certificate
GoDaddy Certificate
See Installing a GoDaddy Commercial Certificate on ZCS 5.0.x.
IPSCA Certificate
See Installing_a_IPSCA_Commercial_Certificate
Network Solutions Certificate
See Installing a Network Solutions Certificate on ZCS 5.0.x.
RapidSSL Certificate
See Installing_a_RapidSSL_Commercial_Certificate
Thawte SSL Certificate (SSL123 format)
See Installing a Thawte SSL Certificate on ZCS 5.0.x.
Verisign
See Installing a Verisign Test Certificate on Zimbra Server.
See Installing a Verisign Secure Site Certificate.
Troubleshooting
If you are experiencing issues installing, viewing, or managing your certificates, see the Category:Troubleshooting Certificates category.
Misc
openssl req -in <server.csr> -noout -text
openssl x509 -in <server.crt> -noout -text
- Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
- Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
- View deployed certificate via the command line
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Try Zimbra
Try Zimbra Collaboration with a 60-day free trial.
Get it now »
Want to get involved?
You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »
Looking for a Video?
Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »