Difference between revisions of "5.x Commercial Certificates Guide"

m (added point 4 to Failed to create jetty.pkcs12)
 
(33 intermediate revisions by 12 users not shown)
Line 1: Line 1:
=General Overview=
+
{{Archive}}{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}'''''Important:''' See [[Administration Console and CLI Certificate Tools]] before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.''  
Installing a commercial certificate in ZCS version 5.0.0_GA and above is a straightforward process.  The following is an overview of the steps you will take to install a commercial certificate.
 
#Generate a CSR via the '''Administration Console>Certificates''' or via the '''zmcertmgr''' command line utility.
 
#Receive the signed certificate.
 
#Receive the chain_certificates (if applicable).
 
#Install the certificate.
 
=TOOLS=
 
==Admininstration Console>Certificates==
 
This is the preferred method for installing commercial certificates. You simply start the Wizard and upload all the cert files and restart the Zimbra Services.
 
==/opt/zimbra/bin/zmcertmgr==
 
If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line.   
 
  
'''''Note:''' This tool must be run as root.''  
+
==Administration and CLI Tools==
 +
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificatesFor more information about these tools, see [[Administration Console and CLI Certificate Tools]].
  
It requires the following:
+
==Preexisting Certificates==
 +
If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: [[Preexisting Certifcate Installation for Zimbra 6.0]]
  
*The private key must exist in '''/opt/zimbra/ssl/zimbra/commercial''' directory and must be named '''commercial.key''' with permission set to '''740'''.
+
==Third Party Certificate Articles==
*The server certificate and the chain cert files must exist in a temp directory. E.g. '''/root/certs'''
+
The following third party certificates have their own Wiki articles with installation instructions.
*The server cert must be named '''commercial.crt'''.
 
*The chain cert files must be concatenated into one file called commercial_ca.crt.
 
*Verify that the cert and the key match using this command:
 
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
 
*From the temp directory, deploy the cert and restart the zimbra services.
 
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
 
(b) zmcontrol stop ; zmcontrol start
 
  
=Certificate Upgrade Issues=
+
===StartSSL===
If you are upgrading from 4.5x to 5.0.x and the cert failed to upgrade successfully, you need to re-install the cert. You will need these pieces:
+
See [[Installing a StartSSL SSL Certificate with zmcertmgr]].
  
#The private key. This can be extracted from the Tomcat keystore.  Zimbra Support can help with this process if you send the Tomcat keystore.
+
===Comodo SSL===
#The server certificate
+
See [[Installing a Comodo SSL Certificate with zmcertmgr]].
#The chain cert files
 
  
With these pieces in hand, we can use the zmcertmgr to install the certificate as explained in [[#Importing commercial certificates from other mail systems to Zimbra 5.x]].
+
===DigiCert===
 +
See [[Installing DigiCert commercial certificates]].
  
Check to make sure that only the jetty alias exists in the keystore.
+
===Gandi===
 +
See [[Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x]]
  
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass  `zmlocalconfig -s -m nokey mailboxd_keystore_password`
+
===GeoTrust Certificate===
 +
See [[Installing_a_GeoTrust_Commercial_Certificate]]
  
Delete the tomcat alias, if exists, with the following command.
+
===GlobalSign Certificate===
 +
See [[Installing a GlobalSign Commercial Certificate]]
  
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
+
===GoDaddy Certificate===
 +
See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]].
  
=Importing commercial certificates from other mail systems to Zimbra 5.x=
+
===IPSCA Certificate===
The steps are the same as the ones under [[#/opt/zimbra/bin/zmcertmgr]].
+
See [[Installing_a_IPSCA_Commercial_Certificate]]
  
=GoDaddy Certificate in 5.x=
+
===Network Solutions Certificate===
Assuming the following is correct:
+
See [[Installing a Network Solutions Certificate on ZCS 5.0.x]].
*This is a new certificate.
 
*You generated the CSR via the Administration Console.
 
*You sent the CSR to get it signed and you received the following files:
 
**gd_cross_intermediate.crt
 
**gd_intermediate.crt
 
**<server_name>.crt
 
**gd_bundle.crt
 
*The '''/opt/zimbra/ssl/zimbra/commercial''' has two files:
 
**commercial.key
 
**commercial.crt
 
  
You can install the certificate by logging in to the Administration Console and uploading the following files.
+
===RapidSSL Certificate===
*RootCA
+
See [[Installing_a_RapidSSL_Commercial_Certificate]]
*gd_cross_intermediate.crt
 
*gd_intermediate.crt
 
*<server_name>.crt
 
  
Once you have uploaded these files, restart Zimbra services.
+
===Thawte SSL Certificate (SSL123 format)===
 +
See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]].
  
=Network Solutions Certificate=  
+
===Verisign===
1. Rename the <server_name.crt> file to '''commercial.crt''' and place it in the '''/opt/zimbra/ssl/zimbra/commercial'''
+
See [[Installing a Verisign Test Certificate on Zimbra Server]].
2. chmod 700 commercial.crt
 
3. Concatenate the chain files into one file and call it '''commercial_ca.crt'''
 
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt >> commercial_ca.crt
 
4. cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial
 
chmod 700 commercial_ca.crt
 
5. Run a check against the cert files.
 
/opt/zimbra/bin/zmcertmgr verifycrt comm
 
6. At this point and if the output looks promising, go ahead and deploy the cert.
 
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
 
7. Restart the Zimbra services.
 
su - zimbra
 
zmcontrol stop
 
zmcontrol start
 
8. Verify that the Web interface is loading correctly with the new certificate.
 
  
'''''Note:''' This assumes that you have the private key in '''/opt/zimbra/ssl/zimbra/commercial''' named as '''commercial.key''' with the correct permissions.''
+
See [[Installing a Verisign Secure Site Certificate]].
  
 
+
==Troubleshooting==
=Thawte SSL Certificate (SSL123 format)=
+
If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category.
1. Generate the CSR from admin console and get it signed by Thawte in .pem format. Save the cert in /opt/zimbra/ssl/zimbra/commercial and rename it to commercial.crt . This directory should also contain commercial.key, which was generated at the time of CSR creation.
 
 
 
2. Download ThawteServerCA_b64.txt and save it at /opt/zimbra/ssl/zimbra/commercial
 
 
 
3. Run following commands as root:
 
 
 
cd /opt/zimbra/ssl/zimbra/commercial/
 
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt ThawteServerCA_b64.txt
 
 
 
If output of above commands looks good, proceed to install the certificate.
 
 
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ThawteServerCA_b64.txt
 
 
 
4. Restart the Zimbra services.
 
su - zimbra
 
zmcontrol stop
 
zmcontrol start
 
 
 
5. Verify that the Web interface is loading correctly with the new certificate.
 
 
 
 
 
=Install Verisign Test Certificate on Zimbra Server=
 
See [[Install Verisign Test Certificate on Zimbra Server]]
 
 
 
=Troubleshooting=
 
 
 
==LDAP/Nginx won't start and asks for a password==
 
That means Zimbra can't read the key or the cert of the LDAP/IMAP proxy service on startup.
 
 
 
Here is what you can do:
 
 
 
1. You want to check to make sure the private key is not encrypted.
 
 
 
2. Manually link the cert to the services OR simply redeploy the certificate to relink the cert to the services.
 
(a)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/sldapd.key
 
(b)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/slapd.crt
 
(c)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/nginx.key
 
(d)cp /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ngix.crt
 
3. Restart the Zimbra services.
 
 
 
==Failed to create jetty.pkcs12==
 
If you are seeing the following error when you try to install the certificate via '''Administration Console>Certificates''',
 
 
 
Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12
 
Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12
 
Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX
 
ERROR: failed to create jetty.pkcs12
 
 
 
Check the following:
 
 
 
1. Make sure the permissions of the '''/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/''' directory is set to '''644 zimbra:zimbra'''.
 
 
 
2. Clear all the current aliases in the mailboxd keystore except for the jetty alias.
 
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
 
 
 
3. If you are running ZCS version 5.0.5, comment out line #539 of the '''/opt/zimbra/bin/zmcertmgr''' utility before deploying the cert. This is bug 27581 [[http://bugzilla.zimbra.com/show_bug.cgi?id=27581]].
 
 
 
4. Until 5.0.9, check that commercial.crt last char is a cr, bug 31034 [[http://bugzilla.zimbra.com/show_bug.cgi?id=31034]].
 
 
 
==Private key and certificate mismatch==
 
If you are seeing this error as you deploy the certificate:
 
Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate
 
(/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key)
 
pair. Error code: ZaCertWizard.prototype.installCallback...
 
 
 
You need to regenerate the CSR, which will create a new key, and submit it to the CA to get it signed. You simply start the certificate installation again.
 
 
 
==Problem with Certificate can cause MTA Failure==
 
See [[Problem with Certificate can cause MTA Failure]]
 
 
 
==Unable to get issuer certificate==
 
If you are getting this error as you deploy the certificate:
 
XXXXX ERROR: Invalid Certificate:....error 20 at 0 depth lookup:unable to get local issuer certificate
 
XXXXX ERROR: provided cert isn't valid.
 
 
 
or this error,
 
this alternate error error 2 at 1 depth lookup
 
 
 
That means the certificate path or chain is broken and you are missing certificate files. In most cases the intermediate cert.
 
For more info on certificate path verification, please take a look at this url http://www.herongyang.com/crypto/openssl_verify.html
 
  
 
=Misc=
 
=Misc=
Line 193: Line 76:
  
 
[[Category: Certificates]]
 
[[Category: Certificates]]
[[Category: Troubleshooting]]
+
[[Category: ZCS 5.0]]
 +
[[Category: SSL/TLS]]

Latest revision as of 17:10, 25 March 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 5.0 Article ZCS 5.0

Important: See Administration Console and CLI Certificate Tools before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.

Administration and CLI Tools

Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see Administration Console and CLI Certificate Tools.

Preexisting Certificates

If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: Preexisting Certifcate Installation for Zimbra 6.0

Third Party Certificate Articles

The following third party certificates have their own Wiki articles with installation instructions.

StartSSL

See Installing a StartSSL SSL Certificate with zmcertmgr.

Comodo SSL

See Installing a Comodo SSL Certificate with zmcertmgr.

DigiCert

See Installing DigiCert commercial certificates.

Gandi

See Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x

GeoTrust Certificate

See Installing_a_GeoTrust_Commercial_Certificate

GlobalSign Certificate

See Installing a GlobalSign Commercial Certificate

GoDaddy Certificate

See Installing a GoDaddy Commercial Certificate on ZCS 5.0.x.

IPSCA Certificate

See Installing_a_IPSCA_Commercial_Certificate

Network Solutions Certificate

See Installing a Network Solutions Certificate on ZCS 5.0.x.

RapidSSL Certificate

See Installing_a_RapidSSL_Commercial_Certificate

Thawte SSL Certificate (SSL123 format)

See Installing a Thawte SSL Certificate on ZCS 5.0.x.

Verisign

See Installing a Verisign Test Certificate on Zimbra Server.

See Installing a Verisign Secure Site Certificate.

Troubleshooting

If you are experiencing issues installing, viewing, or managing your certificates, see the Category:Troubleshooting Certificates category.

Misc

  • Inspect your CSR
openssl req -in <server.csr> -noout -text
  • Inspect your certificate
openssl x509 -in <server.crt> -noout -text
  • Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
  • Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
  • Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  • View deployed certificate via the command line
 sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  • Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM
Verified Against: Zimbra Collaboration Suite 5.x Date Created: 1/16/2008
Article ID: https://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide Date Modified: 2015-03-25



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search