Administration Console and CLI Certificate Tools
ZCS allows administrators to manage their certificates using either the Administration Console or the Command Line Interface (CLI). This article discusses the ZCS 5.0.x Administration Console, and the CLI tools for ZCS 5.0.x and 4.5.x.
ZCS Administration Console Certificates Tools
The ZCS Certificates tools are located in the Navigation pane, under Tools>Certificates. Once you have selected Certificates from this menu, the Manage Certificates tab opens in the Content pane. From here, you can view your deployed certificates or install a new certificate.
Viewing Certificates
Using the Administration Console, you can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days, and subject alternative name.
To view a certificate, select a service host name, either under Certificates in the Navigation pane or by selecting a Service host name in the Manage Certificates tab and clicking View Certificate. A Certificates tab for the service host name you selected opens in the Content Pane.
You can refresh the currently displayed details by clicking Refresh at the top of the tab.
Installing Certificates
Clicking Install Certificate from either the Manage Certificates tab or a Certificates tab opens the Certificate Installation Wizard. The Certificate Installation Wizard is a tool that will help you quickly create and deploy a certificate.
ZCS Certificate CLI
The ZCS Certificate CLI commands differ between 5.0.x and 4.5.x. The following sections discuss the CLI tools for each version.
ZCS 5.0.x
zmcertmgr
This command allows you to manage certificates.
Syntax
zmcertmgr [options]
Description
Name | Description |
---|---|
General Options | |
-help | Displays usage options for zmcertmgr |
Self-Signed Certificate Options | |
createca [-new] | Generates a Certificate Authority (CA). The -new option forces the generation of a new CA. |
deployca | Deploys a CA. |
createcsr <self|comm> [-new] [-subject subject] [-subjectAltNames "host1,host2"] | Creates a certificate signing request (CSR) for either a self or commercially signed certificate authority. The -new option forces the generation of a new CSR. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames option allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}". |
createcrt [-new] [-days validation days] [-subject subject] [-subjectAltNames "host1,host2"] | Creates a self-signed certificate based on the CSR generated using createcsr. The -new option forces the generation of a new certificate. The -days option assigns a number of days for which the certificate is valid. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}". |
deploycrt <self> | Deploys a self-signed certificate. |
Self-Signed and Commercial Certificate Options | |
deploycrt <comm> [certfile] [ca_chain_file] | |
savecrt | |
viewcsr <self|comm> [csr_file] | |
viewdeployedcrt [all|ldap|mta|proxy|mailboxd] | |
viewstagedcrt <self|comm> [certfile] | |
verifycrt <self|comm> [priv_key] [certfile] | |
verifycrtchain <ca_file> <certfile> |
Examples
ZCS 4.5.x
In ZCS 4.5.x, the task of creating a Certificate Authority, creating a self-signed certificate, and then installing the certificate is handled by three CLI commands. When you are installing a certificate, remember to stop Tomcat before running zmcertinstall, and to restart Tomcat once the certificate has been installed.
zmcreateca
This command creates a Certificate Authority (CA).
Syntax
zmcreateca
zmcreatecert
This command creates a new self-signed certificate.
Syntax
zmcreatecert
zmcertinstall
This command installs a certificate.
Note: Stop Tomcat before you install the certificate. Once the certificate is installed, restart Tomcat.
Syntax
zmcertinstall