Difference between revisions of "Administration Console and CLI Certificate Tools"

(Adding examples)
(Adding image and formatting table headers)
Line 6: Line 6:
 
The ZCS Certificates tools are located in the Navigation pane, under '''Tools>Certificates'''. Once you have selected '''Certificates''' from this menu, the Manage Certificates tab opens in the Content pane. From here, you can view your deployed certificates or install a new certificate.
 
The ZCS Certificates tools are located in the Navigation pane, under '''Tools>Certificates'''. Once you have selected '''Certificates''' from this menu, the Manage Certificates tab opens in the Content pane. From here, you can view your deployed certificates or install a new certificate.
  
[[img]]
+
[[image:AdminConsoleManageCerts.png]]
  
 
==Viewing Certificates==
 
==Viewing Certificates==
Line 33: Line 33:
 
====Description====
 
====Description====
 
{|style="width:100%" border="1" cellpadding="5" cellspacing="0"
 
{|style="width:100%" border="1" cellpadding="5" cellspacing="0"
! align="left" |Name
+
! align="left" bgcolor="tan" |Name
! align="left" |Description
+
! align="left" bgcolor="tan"|Description
 
|-
 
|-
! colspan="2" align="left" |General Options
+
! colspan="2" align="left" bgcolor="wheat" |General Options
 
|-
 
|-
|<nowiki>-help</nowiki>
+
|style="background=white" |<nowiki>-help</nowiki>
 
|Displays usage options for '''zmcertmgr'''
 
|Displays usage options for '''zmcertmgr'''
 
|-
 
|-
! colspan="2" align="left" |Self-Signed Certificate Options
+
! colspan="2" align="left" bgcolor="wheat" |Self-Signed Certificate Options
 
|-
 
|-
 
|createca [-new]
 
|createca [-new]
Line 58: Line 58:
 
|Deploys a self-signed certificate.
 
|Deploys a self-signed certificate.
 
|-
 
|-
! colspan="2" align="left" |Self-Signed and Commercial Certificate Options
+
! colspan="2" align="left" bgcolor="wheat" |Self-Signed and Commercial Certificate Options
 
|-
 
|-
 
|deploycrt <comm> [certfile] [ca_chain_file]
 
|deploycrt <comm> [certfile] [ca_chain_file]

Revision as of 20:41, 12 September 2008


ZCS allows administrators to manage their certificates using either the Administration Console or the Command Line Interface (CLI). This article discusses the ZCS 5.0.x Administration Console, and the CLI tools for ZCS 5.0.x and 4.5.x.

ZCS Administration Console Certificates Tools

The ZCS Certificates tools are located in the Navigation pane, under Tools>Certificates. Once you have selected Certificates from this menu, the Manage Certificates tab opens in the Content pane. From here, you can view your deployed certificates or install a new certificate.

AdminConsoleManageCerts.png

Viewing Certificates

Using the Administration Console, you can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days, and subject alternative name.

To view a certificate, select a service host name, either under Certificates in the Navigation pane or by selecting a Service host name in the Manage Certificates tab and clicking View Certificate. A Certificates tab for the service host name you selected opens in the Content Pane.

You can refresh the currently displayed details by clicking Refresh at the top of the tab.

Installing Certificates

Clicking Install Certificate from either the Manage Certificates tab or a Certificates tab opens the Certificate Installation Wizard. The Certificate Installation Wizard is a tool that will help you quickly create and deploy a certificate.


ZCS Certificate CLI

The ZCS Certificate CLI commands differ between 5.0.x and 4.5.x. The following sections discuss the CLI tools for each version.

ZCS 5.0.x

zmcertmgr

This command allows you to manage certificates.

Syntax

zmcertmgr [options]

Description

Name Description
General Options
-help Displays usage options for zmcertmgr
Self-Signed Certificate Options
createca [-new] Generates a Certificate Authority (CA). The -new option forces the generation of a new CA.
deployca Deploys a CA.
createcsr <self|comm> [-new] [-subject subject] [-subjectAltNames "host1,host2"] Creates a certificate signing request (CSR) for either a self or commercially signed certificate authority. The -new option forces the generation of a new CSR. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames option allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
createcrt [-new] [-days validation days] [-subject subject] [-subjectAltNames "host1,host2"] Creates a self-signed certificate based on the CSR generated using createcsr. The -new option forces the generation of a new certificate. The -days option assigns a number of days for which the certificate is valid. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
deploycrt <self> Deploys a self-signed certificate.
Self-Signed and Commercial Certificate Options
deploycrt <comm> [certfile] [ca_chain_file] Deploys a commercial certificate. Specify the certificate file and the certificate authority (CA) chain file.
savecrt Saves a certificate
viewcsr <self|comm> [csr_file] Shows a certificate signing request (CSR). Specify self if the CSR is self-signed. Specify comm if the certificate is commercial. Specify the CSR file to view.
viewdeployedcrt [all|ldap|mta|proxy|mailboxd] Shows a deployed certificate. This option only works for the local server.
viewstagedcrt <self|comm> [certfile] Shows a staged certificate. A staged certificate is placed in a staging file, where all files that will be deployed with the certificate are kept. You can use the staging area to verify that you are ready to deploy a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate file to view.
verifycrt <self|comm> [priv_key] [certfile] Verifies a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.
verifycrtchain <ca_file> <certfile> Verifies a certificate chain. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.

Examples

The following are examples of using the above options for different installation scenarios.

Single-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

 zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days.

 zmcertmgr createcrt -new -days 365

3. Next deploy the certificate.

 zmcertmgr deploycrt self

4. To finish, verify the certificate was deployed to all the services.

 zmcertmgr viewdeployedcrt
Multi-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

 zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.

 zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
 zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"

3. Next, deploy the certificate to all nodes in the deployment.

 zmcertmgr deploycrt self -allservers

4. To finish, verify the certificate was deployed.

 zmcertmgr viewdeployedcrt

Note: The option viewdeployedcrt only works for the local server.

Single-Node Commercial Certificate

1. Begin by generating a Certificate Signing Request (CSR).

 /opt/zimbra/bin/zmcertmgr createcsr comm. -new –subject "/C=US/ST-CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" –subjectAltNames host.example.com

2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt). 3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt) 4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt) 5. Combine root and intermediary CAs into a temporary file.

 cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt

6. Verify your commercial certificate.

 /opt/zimbra/bin/zmcertmgr verifycrt comm
 /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt
 **Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmp/commercial.crt: OK

7. Deploy your commercial certificate.

 /opt/zimbra/bin/zmcertmgr deploycrt comm. /tmp/commercial.crt /tmp/ca_chain.crt
 ** Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmpt/commercial.crt: OK
 **Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Appending ca chain /tmp/ca_chain.crt to
 /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Saving server config key zimbraSSLCeretificate…done.
 **Saving server config key zimbraSSLPrivateKey…done.
 **Installing mta certificate and key…done.
 **Installing slapd certificate and key…done.
 **Installing proxy certificate and key…done.
 **Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
 **Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
 **Installing CA to /opt/zimbra/conf/ca…done.

8. To finish, verify the certificate was deployed.

 zmcertmgr viewdeployedcrt

ZCS 4.5.x

In ZCS 4.5.x, the task of creating a Certificate Authority, creating a self-signed certificate, and then installing the certificate is handled by three CLI commands. When you are installing a certificate, remember to stop Tomcat before running zmcertinstall, and to restart Tomcat once the certificate has been installed.

zmcreateca

This command creates a Certificate Authority (CA).

Syntax

zmcreateca

zmcreatecert

This command creates a new self-signed certificate.

Syntax

zmcreatecert

zmcertinstall

This command installs a certificate.

Note: Stop Tomcat before you install the certificate. Once the certificate is installed, restart Tomcat.

Syntax

zmcertinstall


Verified Against: ZCS 4.5.x & 5.0.x Date Created: 9/10/2008
Article ID: https://wiki.zimbra.com/index.php?title=Administration_Console_and_CLI_Certificate_Tools Date Modified: 2008-09-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search