5.x Commercial Certificates Guide
General Overview
Installing a commercial certificate in ZCS version 5.0.0_GA and above is a straightforward process. The following is an overview of the steps you will take to install a commercial certificate.
- Generate a CSR via the Administration Console>Certificates or via the zmcertmgr command line utility.
- Receive the signed certificate.
- Receive the chain_certificates (if applicable).
- Install the certificate.
TOOLS
Admininstration Console>Certificates
This is the preferred method for installing commercial certificates. You simply start the Wizard and upload all the cert files and restart the Zimbra Services.
At the moment (8/26/08), according to Zimbra support, the web interface only supports having "one csr/private key at a time. Generating a new csr overrides the existing one and generates a new private key. If you want to generate more than one csr:
- you simply generate the first one which is downloaded to /opt/zimbra/ssl/zimbra/commercial directory (commercial.csr and commercial.key) - move both files aside - generate the second csr which would download to the same location above"
/opt/zimbra/bin/zmcertmgr
If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line.
Note: This tool must be run as root.
It requires the following:
- The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740.
- The server certificate and the chain cert files must exist in a temp directory. E.g. /root/certs
- The server cert must be named commercial.crt.
- The chain cert files must be concatenated into one file called commercial_ca.crt.
- Verify that the cert and the key match using this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
- From the temp directory, deploy the cert and restart the zimbra services.
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt (b) zmcontrol stop ; zmcontrol start
Certificate Upgrade Issues
If you are upgrading from 4.5x to 5.0.x and the cert failed to upgrade successfully, you need to re-install the cert. You will need these pieces:
- The private key. This can be extracted from the Tomcat keystore. Zimbra Support can help with this process if you send the Tomcat keystore.
- The server certificate
- The chain cert files
With these pieces in hand, we can use the zmcertmgr to install the certificate as explained in #Importing commercial certificates from other mail systems to Zimbra 5.x.
Check to make sure that only the jetty alias exists in the keystore.
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Delete the tomcat alias, if exists, with the following command.
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Importing commercial certificates from other mail systems to Zimbra 5.x
The steps are the same as the ones under #/opt/zimbra/bin/zmcertmgr.
Thawte SSL Certificate (SSL123 format)
1. Generate the CSR from admin console and get it signed by Thawte in .pem format. Save the cert in /opt/zimbra/ssl/zimbra/commercial and rename it to commercial.crt . This directory should also contain commercial.key, which was generated at the time of CSR creation.
2. Download ThawteServerCA_b64.txt and save it at /opt/zimbra/ssl/zimbra/commercial
3. Run following commands as root:
cd /opt/zimbra/ssl/zimbra/commercial/ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt ThawteServerCA_b64.txt
If output of above commands looks good, proceed to install the certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ThawteServerCA_b64.txt
4. Restart the Zimbra services.
su - zimbra zmcontrol stop zmcontrol start
5. Verify that the Web interface is loading correctly with the new certificate.
Troubleshooting
For troubleshooting certificate issues, see Category:Troubleshooting Certificates.
Misc
- Inspect your CSR
openssl req -in <server.csr> -noout -text
- Inspect your certificate
openssl x509 -in <server.crt> -noout -text
- Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
- Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
- Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
- View deployed certificate via the command line
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM