Difference between revisions of "5.x Commercial Certificates Guide"

Line 18: Line 18:
 
   (2) the server certificate
 
   (2) the server certificate
 
   (3) the chain cert files
 
   (3) the chain cert files
   (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in section (b) of TOOLS.
+
   (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in [[Importing commercial certificates from other mail systems to Zimbra 5.x]]section.
  
 
  Check to make sure that only the jetty alias exists in the keystore
 
  Check to make sure that only the jetty alias exists in the keystore

Revision as of 17:19, 3 May 2008

I) General Overview

Installing a commercial certificates in zcs version 5.0.0_GA and above is a straight forward process once we have all the required pieces:

 (a) generating a csr via the admin console>certificates or via the zmcertmgr command line utility.
 (b) receiving the signed certificate.
 (c) receiving the chain_certificates (if applicable).
 (d) install the certificate.

Since 5.x release, our field experience shows that certificate problems come from one of the following (1) Our upgrade script fails to upgrade the 4.5x certificate properly. (2) Missing a piece of the buzzle, especially the chain certificates. (3) Private key and certificate mismatch due, in most cases, to generating the csr more than one time without submitting the lastest csr to the CA provider. (4)A bug in the code.

Certificate Upgrade issues

  If you are upgrading from 4.5x to 5x and the cert failed to upgrade successfully, you need to re-instal the cert.  We need these pieces:
  (1) the private key, this can be extracted from the tomcat keystore and we can help with this process if you send us the tomcat keystore.
  (2) the server certificate
  (3) the chain cert files
  (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in Importing commercial certificates from other mail systems to Zimbra 5.xsection.
Check to make sure that only the jetty alias exists in the keystore
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass  `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Delete the tomcat alias, if exists, with this command:

keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

Importing commercial certificates from other mail systems to Zimbra 5.x

Here are the steps:

(1)Place your private key in /opt/zimbra/ssl/zimbra/commercial and name it commercial.key
(2)Make sure commercial.key permission is set to 700 and is owned by root:root
(3)Concatenate the rootCA and intermed cert files into a single file for use with zmcertmgr.
(4)deploy the cert and restart the zimbra services:
 
 (a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file>
 (b) zmcontrol stop ; zmcontrol start

GoDaddy Certificate in 5.x

Assuming the following is correct:

  • This is a new certificate.
  • You generated the csr via the admin console
  • You sent the csr to get it signed and you received the following files:
    • gd_cross_intermediate.crt,
    • gd_intermediate.crt,
    • <server_name>.crt.
    • gd_bundle.crt
    • (Root CA)
  • The /opt/zimbra/ssl/zimbra/commercial has two files:
    • commercial.key
    • commercial.crt

You can install the certificate by logging in to the admin console and uploading these files:

  • gd_cross_intermediate.crt,
  • gd_intermediate.crt,
  • <server_name>.crt.
  • (Root CA)

Once you have uploaded the above files, restart Zimbra services.

Network Solutions Certificate

(1) rename this file <server_name.crt> commercial.crt and place it in the /opt/zimbra/ssl/zimbra/commercial
(2) chmod 700 commercial.crt
(3) concatenated the chain files into one file and called it commercial_ca.crt
   cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt > commercial_ca.crt
(4) cp commrecial_ca.crt /opt/zimbra/ssl/zimbra/commercial
   chmod 700 commercial_ca.crt
(5)run a check against the cert files
 /opt/zimbra/bin/zmcertmgr verifycrt comm
(6) at this point and if the output looks promising, go ahead and deploy the cert
 /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
(7) and restarted the zimbra services
   su - zimbra
   zmcontrol stop
   zmcontrol start
(8)verify that the web interface is loading correctly with the new certificate

Note, this assumes that you have the private key in /opt/zimbra/ssl/zimbra/commercial named as commercial.key with the correct permissions.


Verified Against: Zimbra Collaboration Suite 5.x Date Created: 1/16/2008
Article ID: https://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide Date Modified: 2008-05-03



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search