Difference between revisions of "5.x Commercial Certificates Guide"

 
(95 intermediate revisions by 21 users not shown)
Line 1: Line 1:
= General Overview =
+
{{Archive}}{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}'''''Important:''' See [[Administration Console and CLI Certificate Tools]] before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.'' 
Installing a commercial certificates in zcs version 5.0.0_GA and above is a straight forward process once we have all the required pieces:
 
  (a) generating a csr via the admin console>certificates or via the zmcertmgr command line utility.
 
  (b) receiving the signed certificate.
 
  (c) receiving the chain_certificates (if applicable).
 
  (d) install the certificate.
 
  
Since 5.x release, our field experience shows that certificate problems come from one of the following
+
==Administration and CLI Tools==
(1) Our upgrade script fails to upgrade the 4.5x certificate properly.
+
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see [[Administration Console and CLI Certificate Tools]].
(2) Missing a piece of the buzzle, especially the chain certificates.
 
(3) Private key and certificate mismatch due, in most cases, to generating the csr more than one time without submitting the lastest csr to the CA provider.
 
(4)A bug in the code.
 
  
= Certificate Upgrade issues=
+
==Preexisting Certificates==
 +
If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: [[Preexisting Certifcate Installation for Zimbra 6.0]]
  
  If you are upgrading from 4.5x to 5x and the cert failed to upgrade successfully, you need to re-instal the cert.  You will need these pieces:
+
==Third Party Certificate Articles==
  (1) the private key, this can be extracted from the tomcat keystore and we can help with this process if you send us the tomcat keystore.
+
The following third party certificates have their own Wiki articles with installation instructions.
  (2) the server certificate.
 
  (3) the chain cert files.
 
  (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in [[#Importing commercial certificates from other mail systems to Zimbra 5.x]] section.
 
  
Check to make sure that only the jetty alias exists in the keystore
+
===StartSSL===
 +
See [[Installing a StartSSL SSL Certificate with zmcertmgr]].
  
<span style="background-color:green;color:white">keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass  `zmlocalconfig -s -m nokey mailboxd_keystore_password`</span>
+
===Comodo SSL===
 +
See [[Installing a Comodo SSL Certificate with zmcertmgr]].
  
Delete the tomcat alias, if exists, with this command:
+
===DigiCert===
 +
See [[Installing DigiCert commercial certificates]].
  
<span style="background-color:green;color:white">keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`</span>
+
===Gandi===
 +
See [[Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x]]
  
=Importing commercial certificates from other mail systems to Zimbra 5.x=
+
===GeoTrust Certificate===
 +
See [[Installing_a_GeoTrust_Commercial_Certificate]]
  
Here are the steps:
+
===GlobalSign Certificate===
- the private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740.
+
See [[Installing a GlobalSign Commercial Certificate]]
- the server certificate and the chain cert files must exist in a temp directory i.e. /root/certs.
 
- the server cert must be named commercial.crt.
 
- the chain cert files must be concatinated into one file called commercial_ca.crt.
 
-verify that the cert and the key match using this command
 
  <span style="background-color:green;color:white">  /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.crt commercial_ca.crt</span>
 
- from the temp directory, deploy the cert and restart the zimbra services:
 
  <span style="background-color:green;color:white">
 
  (a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file>
 
  (b) zmcontrol stop ; zmcontrol start</span>
 
  
=GoDaddy Certificate in 5.x=
+
===GoDaddy Certificate===
Assuming the following is correct:
+
See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]].
*This is a new certificate.
 
*You generated the csr via the admin console
 
*You sent the csr to get it signed and you received the following files:
 
**gd_cross_intermediate.crt,
 
**gd_intermediate.crt,
 
**<server_name>.crt.
 
**gd_bundle.crt
 
  
*The '''/opt/zimbra/ssl/zimbra/commercial''' has two files:
+
===IPSCA Certificate===
**commercial.key
+
See [[Installing_a_IPSCA_Commercial_Certificate]]
**commercial.crt
 
  
<span style="background-color:green;color:white">You can install the certificate by logging in to the admin console and uploading these files</span>
+
===Network Solutions Certificate===
**RootCA
+
See [[Installing a Network Solutions Certificate on ZCS 5.0.x]].
**gd_cross_intermediate.crt,
 
**gd_intermediate.crt,
 
**<server_name>.crt.
 
  
Once you have uploaded the above files, restart Zimbra services.
+
===RapidSSL Certificate===
 +
See [[Installing_a_RapidSSL_Commercial_Certificate]]
  
= Network Solutions Certificate=  
+
===Thawte SSL Certificate (SSL123 format)===
 +
See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]].
  
+
===Verisign===
<span style="background-color:green;color:white">
+
See [[Installing a Verisign Test Certificate on Zimbra Server]].
(1) rename this file <server_name.crt> commercial.crt and place it in the /opt/zimbra/ssl/zimbra/commercial
 
(2) chmod 700 commercial.crt
 
(3) concatenated the chain files into one file and called it commercial_ca.crt
 
    cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt > commercial_ca.crt
 
(4) cp commrecial_ca.crt /opt/zimbra/ssl/zimbra/commercial
 
    chmod 700 commercial_ca.crt
 
(5)run a check against the cert files
 
  /opt/zimbra/bin/zmcertmgr verifycrt comm
 
(6) at this point and if the output looks promising, go ahead and deploy the cert
 
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
 
(7) and restarted the zimbra services
 
    su - zimbra
 
    zmcontrol stop
 
    zmcontrol start
 
(8)verify that the web interface is loading correctly with the new certificate</span>
 
  
Note, this assumes that you have the private key in /opt/zimbra/ssl/zimbra/commercial named as commercial.key with the correct permissions.
+
See [[Installing a Verisign Secure Site Certificate]].
=TroubleShooting=
 
==Ldap/Nginx won't start and asks for a password==
 
That means zimbra can't read the key or the cert of the ldap/imapproxy service on startup. 
 
Here is what you can do:
 
(1)You want to check to make sure the private key is not encrypted.
 
(2) Manually link the cert to the services OR simply redeploy the certificate to relink the cert to the services.
 
<span style="background-color:green;color:white">
 
    (a)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/sldapd.key
 
    (b)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/slapd.crt
 
    (c)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/nginx.key
 
    (d)cp /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ngix.crt</span>
 
  (3) restart the zimbra services.
 
== failed to create jetty.pkcs12==
 
If you are seeing this error when you try to install the certificate via the admin console>certificates
 
  
Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code:
+
==Troubleshooting==
ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12
+
If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category.
  
Check the following:
 
(1)make sure the permissions of the /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ directory is set to 644 zimbra:zimbra .
 
(2)clear all the current aliases in the mailboxd keystore except for the jetty alias?
 
  keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
 
(3) if you are running zcs version 5.0.5, comment out line #539 of the /opt/zimbra/bin/zmcertmgr utility before deploying the cert. This is bug 27581 [[http://bugzilla.zimbra.com/show_bug.cgi?id=27581]].
 
 
 
=Misc=
 
=Misc=
inspect your csr
+
*Inspect your CSR
  openssl req -in <server.csr> -noout -text
+
openssl req -in <server.csr> -noout -text
  
inspect your certificate
+
*Inspect your certificate
  openssl x509 -in <server.crt> -noout -text
+
openssl x509 -in <server.crt> -noout -text
  
clear the passphrase of the private key
+
*Clear the passphrase of the private key
 
  openssl rsa -in <server.key> -out <server.key.decr>
 
  openssl rsa -in <server.key> -out <server.key.decr>
  
Get jetty keystore password
+
*Get Jetty keystore password
 
  zmlocalconfig -s -m nokey mailboxd_keystore_password
 
  zmlocalconfig -s -m nokey mailboxd_keystore_password
 +
 +
*Create a CSR via the CLI
 +
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
 +
 +
*View deployed certificate via the command line
 +
  sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
 +
 +
* Convert the cert format from DER to PEM
 +
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
  
 
{{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}}
 
{{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}}
  
 
[[Category: Certificates]]
 
[[Category: Certificates]]
 +
[[Category: ZCS 5.0]]
 +
[[Category: SSL/TLS]]

Latest revision as of 17:10, 25 March 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 5.0 Article ZCS 5.0

Important: See Administration Console and CLI Certificate Tools before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.

Administration and CLI Tools

Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see Administration Console and CLI Certificate Tools.

Preexisting Certificates

If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: Preexisting Certifcate Installation for Zimbra 6.0

Third Party Certificate Articles

The following third party certificates have their own Wiki articles with installation instructions.

StartSSL

See Installing a StartSSL SSL Certificate with zmcertmgr.

Comodo SSL

See Installing a Comodo SSL Certificate with zmcertmgr.

DigiCert

See Installing DigiCert commercial certificates.

Gandi

See Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x

GeoTrust Certificate

See Installing_a_GeoTrust_Commercial_Certificate

GlobalSign Certificate

See Installing a GlobalSign Commercial Certificate

GoDaddy Certificate

See Installing a GoDaddy Commercial Certificate on ZCS 5.0.x.

IPSCA Certificate

See Installing_a_IPSCA_Commercial_Certificate

Network Solutions Certificate

See Installing a Network Solutions Certificate on ZCS 5.0.x.

RapidSSL Certificate

See Installing_a_RapidSSL_Commercial_Certificate

Thawte SSL Certificate (SSL123 format)

See Installing a Thawte SSL Certificate on ZCS 5.0.x.

Verisign

See Installing a Verisign Test Certificate on Zimbra Server.

See Installing a Verisign Secure Site Certificate.

Troubleshooting

If you are experiencing issues installing, viewing, or managing your certificates, see the Category:Troubleshooting Certificates category.

Misc

  • Inspect your CSR
openssl req -in <server.csr> -noout -text
  • Inspect your certificate
openssl x509 -in <server.crt> -noout -text
  • Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
  • Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
  • Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  • View deployed certificate via the command line
 sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  • Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Verified Against: Zimbra Collaboration Suite 5.x Date Created: 1/16/2008
Article ID: https://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide Date Modified: 2015-03-25



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search