5.x Commercial Certificates Guide: Difference between revisions

No edit summary
mNo edit summary
 
(125 intermediate revisions by 22 users not shown)
Line 1: Line 1:
=5.0.1_GA and later=
{{Archive}}
Obtain your commercial certificate from your provider.   
'''''Important:''' See [[Administration Console and CLI Certificate Tools]] before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.''  


'''''Note:''' You will also need the root CA and any intermediaries that the provider uses in PEM format.''
==Administration and CLI Tools==
Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates.  For more information about these tools, see [[Administration Console and CLI Certificate Tools]].


Concatenate the root and intermediary files into a single file for use with '''zmcertmgr'''.
==Preexisting Certificates==
 
If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: [[Preexisting Certifcate Installation for Zimbra 6.0]]
  (a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file>
  (b) zmcontrol stop ; zmcontrol start


=5.0.0_GA=
==Third Party Certificate Articles==
The following third party certificates have their own Wiki articles with installation instructions.


#Copy the certificate file(s) to '''/opt/zimbra/ssl/zimbra/commercial/''' while naming it '''commercial.crt'''. If you have more than one cert file, please concatenate them into one file.
===StartSSL===
#Copy the private key to '''/opt/zimbra/ssl/zimbra/commercial/''' while naming it '''commercial.key'''.
See [[Installing a StartSSL SSL Certificate with zmcertmgr]].
#Copy '''/opt/zimbra/ssl/zimbra/commercial/commercial.crt''' to '''/opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt'''. '''current.crt''' should be owned by zimbra:zimbra.
#Run this command:
/opt/zimbra/bin/zmcertmgr install comm


=4.5x to 5.x failed cert=
===Comodo SSL===
See [[Installing a Comodo SSL Certificate with zmcertmgr]].


Check whether the tomcat alias still exist in the keystore. You can check with this command:
===DigiCert===
See [[Installing DigiCert commercial certificates]].


keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass  `zmlocalconfig -s -m nokey mailboxd_keystore_password`
===Gandi===
See [[Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x]]


If the above command returns two aliases (tomcat and jetty), please delete the tomcat alias with this command:
===GeoTrust Certificate===
See [[Installing_a_GeoTrust_Commercial_Certificate]]


keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
===GlobalSign Certificate===
See [[Installing a GlobalSign Commercial Certificate]]


If there are any errors from the above command, please send it to support@zimbra.com.
===GoDaddy Certificate===
See [[Installing a GoDaddy Commercial Certificate on ZCS 5.0.x]].


=Importing commercial certificates from other mail systems to Zimbra 5.x=
===IPSCA Certificate===
See [[Installing_a_IPSCA_Commercial_Certificate]]


If we have all the necessary pieces, you should be able to bring your commercial cert to Zimbra.
===Network Solutions Certificate===
See [[Installing a Network Solutions Certificate on ZCS 5.0.x]].


You need the following:
===RapidSSL Certificate===
#The private key in a decrypted format
See [[Installing_a_RapidSSL_Commercial_Certificate]]
#All the cert files you received from the CA (intermediate and rootca)
#Make sure the Zimbra hostname is the same as the one on the cert


Here are the steps:
===Thawte SSL Certificate (SSL123 format)===
#Place your private key in '''/opt/zimbra/ssl/zimbra/commercial''' and name it '''commercial.key'''
See [[Installing a Thawte SSL Certificate on ZCS 5.0.x]].
#Make sure commercial.key permission is set to 700 and is owned by root:root
#Upload the certificate files via the admin console>certificates.
#Make sure to upload all the certificate files that you received from you CA (rootca,intermediate,...)


=GoDaddy Certificate in 5.x=
===Verisign===
Assuming the following is correct:
See [[Installing a Verisign Test Certificate on Zimbra Server]].
*This is a new certificate.
*You generated the csr via the admin console
*You sent the csr to get it signed and you received the following files:
**gd_cross_intermediate.crt,
**gd_intermediate.crt,
**<server_name>.crt.
**gd_bundle.crt
**(Root CA)
*The '''/opt/zimbra/ssl/zimbra/commercial''' has two files:
**commercial.key
**commercial.crt


You can install the certificate by logging in to the admin console and uploading these files:
See [[Installing a Verisign Secure Site Certificate]].
*gd_cross_intermediate.crt,
*gd_intermediate.crt,
*<server_name>.crt.
*(Root CA)


Once you have uploaded the above files, restart Zimbra services.
==Troubleshooting==
If you are experiencing issues installing, viewing, or managing your certificates, see the [[:Category:Troubleshooting Certificates]] category.


=install GoDaddy commercial certificate from the command line=
=Misc=
*Inspect your CSR
openssl req -in <server.csr> -noout -text


------------------------------------------------------
*Inspect your certificate
Step 1: Download GoDaddy bundle from their primary Repo
openssl x509 -in <server.crt> -noout -text


Step 2: Reverse the certificate chain, so that your the chain of trust goes from general to specific. (e.g. Root CA, Intermediate, Intermeidate_cross, your cert). Save this file as commercial.crt under /opt/zimbra/ssl/zimbra/commercial.
*Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>


Step 3: Copy your private key (must be named commercial.key) to /opt/zimbra/ssl/zimbra/commercial
*Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password


Step 4: Copy files to other misc locations:
*Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]


  cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
*View deployed certificate via the command line
  cp commercial.crt /opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt
  sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt


Step 5: Install the cert
* Convert the cert format from DER to PEM
  /opt/zimbra/bin/zmcertmgr install com
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM


Ste 6: Restart Zimbra
{{FH}}
----------------------------------------------------------
This feedback was submitted by Dave Torre from San Mateo Regional Networks
Thanks Dave.
 
 
{{Article Footer|Zimbra Collaboration Suite 5.x|1/16/2008}}
 
[[Category: Certificates]]

Latest revision as of 04:06, 4 February 2022

Important: See Administration Console and CLI Certificate Tools before installing a third party certificate using an article listed below. Third party certificate articles are community contributions and may include unsupported steps.

Administration and CLI Tools

Zimbra offers both Administration Console and Command Line Interface (CLI) tools for installing, viewing, and managing certificates. For more information about these tools, see Administration Console and CLI Certificate Tools.

Preexisting Certificates

If you'd like to install a certificate whose CSR was made elsewhere (for instance, if you have a wildcard certificate for your domain), see here: Preexisting Certifcate Installation for Zimbra 6.0

Third Party Certificate Articles

The following third party certificates have their own Wiki articles with installation instructions.

StartSSL

See Installing a StartSSL SSL Certificate with zmcertmgr.

Comodo SSL

See Installing a Comodo SSL Certificate with zmcertmgr.

DigiCert

See Installing DigiCert commercial certificates.

Gandi

See Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x

GeoTrust Certificate

See Installing_a_GeoTrust_Commercial_Certificate

GlobalSign Certificate

See Installing a GlobalSign Commercial Certificate

GoDaddy Certificate

See Installing a GoDaddy Commercial Certificate on ZCS 5.0.x.

IPSCA Certificate

See Installing_a_IPSCA_Commercial_Certificate

Network Solutions Certificate

See Installing a Network Solutions Certificate on ZCS 5.0.x.

RapidSSL Certificate

See Installing_a_RapidSSL_Commercial_Certificate

Thawte SSL Certificate (SSL123 format)

See Installing a Thawte SSL Certificate on ZCS 5.0.x.

Verisign

See Installing a Verisign Test Certificate on Zimbra Server.

See Installing a Verisign Secure Site Certificate.

Troubleshooting

If you are experiencing issues installing, viewing, or managing your certificates, see the Category:Troubleshooting Certificates category.

Misc

  • Inspect your CSR
openssl req -in <server.csr> -noout -text
  • Inspect your certificate
openssl x509 -in <server.crt> -noout -text
  • Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
  • Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
  • Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  • View deployed certificate via the command line
 sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  • Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search