5.x Commercial Certificates Guide
Installing a commercial certificate in ZCS version 5.0.0_GA and above is a straightforward process. The following is an overview of the steps you will take to install a commercial certificate.
- Generate a CSR via the Administration Console>Certificates or via the zmcertmgr command line utility.
- Receive the signed certificate.
- Receive the chain_certificates (if applicable).
- Install the certificate.
This is the preferred method for installing commercial certificates. You simply start the Wizard and upload all the cert files and restart the Zimbra Services.
At the moment (8/26/08), according to Zimbra support, the web interface only supports having "one csr/private key at a time. Generating a new csr overrides the existing one and generates a new private key. If you want to generate more than one csr:
- you simply generate the first one which is downloaded to /opt/zimbra/ssl/zimbra/commercial directory (commercial.csr and commercial.key) - move both files aside - generate the second csr which would download to the same location above"
If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line.
Note: This tool must be run as root.
It requires the following:
- The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740.
- The server certificate and the chain cert files must exist in a temp directory. E.g. /root/certs
- The server cert must be named commercial.crt.
- The chain cert files must be concatenated into one file called commercial_ca.crt.
- Verify that the cert and the key match using this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
- From the temp directory, deploy the cert and restart the zimbra services.
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt (b) zmcontrol stop ; zmcontrol start
For troubleshooting certificate issues, see Category:Troubleshooting Certificates.
- Inspect your CSR
openssl req -in <server.csr> -noout -text
- Inspect your certificate
openssl x509 -in <server.crt> -noout -text
- Clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
- Get Jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password
- Create a CSR via the CLI
sudo /opt/zimbra/bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
- View deployed certificate via the command line
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Convert the cert format from DER to PEM
openssl x509 -in input.cer -inform DER -out output.cer -outform PEM