Installing Certificates from the Master LDAP to a LDAP Replica

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Installing Certificates from the Master LDAP to a LDAP Replica

   KB 15279        Last updated on 2015-07-12  




0.00
(0 votes)

If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas. You cannot use the zmprov command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.

To install the CA certificate on the LDAP Replica, use the UNIX scp command to securely transfer the CA certificate between the servers

As root:

1. Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type

$ cp /opt/zimbra/ssl/zimbra/ca/ca.pem /tmp/

2. Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type

$ scp <ldap_master>:/tmp/ca.pem /tmp/

3. Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type

$ /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem

To complete the installation, on the LDAP replica, complete the following steps.

1. cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem

2. cd /opt/zimbra/conf/ca

3. chown zimbra:zimbra master_ca.pem

4. ln -f -s master_ca.pem /opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/master_ca.pem`.0

As zimbra, restart the server. Type zmcontrol restart

This creates a new CA master_ca.pem with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.

Verified Against: N/A Date Created: 10/5/2011
Article ID: https://wiki.zimbra.com/index.php?title=Installing_Certificates_from_the_Master_LDAP_to_a_LDAP_Replica Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search