5.x Commercial Certificates Guide
Installing a commercial certificates in zcs version 5.0.0_GA and above is a straight forward process once we have all the required pieces:
(a) generating a csr via the admin console>certificates or via the zmcertmgr command line utility. (b) receiving the signed certificate. (c) receiving the chain_certificates (if applicable). (d) install the certificate.
Since 5.x release, our field experience shows that certificate problems come from one of the following (1) Our upgrade script fails to upgrade the 4.5x certificate properly. (2) Missing a piece of the buzzle, especially the chain certificates. (3) Private key and certificate mismatch due, in most cases, to generating the csr more than one time without submitting the lastest csr to the CA provider. (4)A bug in the code.
Certificate Upgrade issues
If you are upgrading from 4.5x to 5x and the cert failed to upgrade successfully, you need to re-instal the cert. You will need these pieces: (1) the private key, this can be extracted from the tomcat keystore and we can help with this process if you send us the tomcat keystore. (2) the server certificate. (3) the chain cert files. (4) with these pieces in hand, we can use the zmcertmgr to install the certificate as explained in #Importing commercial certificates from other mail systems to Zimbra 5.x section.
Check to make sure that only the jetty alias exists in the keystore
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Delete the tomcat alias, if exists, with this command:
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Importing commercial certificates from other mail systems to Zimbra 5.x
Here are the steps:
- the private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740. - the server certificate and the chain cert files must exist in a temp directory i.e. /root/certs. - the server cert must be named commercial.crt. - the chain cert files must be concatinated into one file called commercial_ca.crt. -verify that the cert and the key match using this command /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.crt commercial_ca.crt - from the temp directory, deploy the cert and restart the zimbra services: (a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file> (b) zmcontrol stop ; zmcontrol start
GoDaddy Certificate in 5.x
Assuming the following is correct:
- This is a new certificate.
- You generated the csr via the admin console
- You sent the csr to get it signed and you received the following files:
- The /opt/zimbra/ssl/zimbra/commercial has two files:
You can install the certificate by logging in to the admin console and uploading these files
Once you have uploaded the above files, restart Zimbra services.
Network Solutions Certificate
(1) rename this file <server_name.crt> commercial.crt and place it in the /opt/zimbra/ssl/zimbra/commercial (2) chmod 700 commercial.crt (3) concatenated the chain files into one file and called it commercial_ca.crt cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt > commercial_ca.crt (4) cp commrecial_ca.crt /opt/zimbra/ssl/zimbra/commercial chmod 700 commercial_ca.crt (5)run a check against the cert files /opt/zimbra/bin/zmcertmgr verifycrt comm (6) at this point and if the output looks promising, go ahead and deploy the cert /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt (7) and restarted the zimbra services su - zimbra zmcontrol stop zmcontrol start (8)verify that the web interface is loading correctly with the new certificate
Note, this assumes that you have the private key in /opt/zimbra/ssl/zimbra/commercial named as commercial.key with the correct permissions.
Ldap/Nginx won't start and asks for a password
That means zimbra can't read the key or the cert of the ldap/imapproxy service on startup. Here is what you can do:
(1)You want to check to make sure the private key is not encrypted. (2) Manually link the cert to the services OR simply redeploy the certificate to relink the cert to the services.
(a)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/sldapd.key (b)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/slapd.crt (c)cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/nginx.key (d)cp /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ngix.crt (3) restart the zimbra services.
failed to create jetty.pkcs12
If you are seeing this error when you try to install the certificate via the admin console>certificates
Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12
Check the following: (1)make sure the permissions of the /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ directory is set to 644 zimbra:zimbra . (2)clear all the current aliases in the mailboxd keystore except for the jetty alias? keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password` (3) if you are running zcs version 5.0.5, comment out line #539 of the /opt/zimbra/bin/zmcertmgr utility before deploying the cert. This is bug [].
inspect your csr
openssl req -in <server.csr> -noout -text
inspect your certificate
openssl x509 -in <server.crt> -noout -text
clear the passphrase of the private key
openssl rsa -in <server.key> -out <server.key.decr>
Get jetty keystore password
zmlocalconfig -s -m nokey mailboxd_keystore_password