Difference between revisions of "Installing Certificates from the Master LDAP to a LDAP Replica"

Line 1: Line 1:
If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas.  You cannot use the zmprov command to download this cert from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.
+
If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas.  You cannot use the '''zmprov''' command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.
  
 
To install the CA certificate on the LDAP Replica, use the UNIX '''scp''' command to securely transfer the CA certificate between the servers
 
To install the CA certificate on the LDAP Replica, use the UNIX '''scp''' command to securely transfer the CA certificate between the servers
  
 
All steps are run as the '''zimbra''' user.
 
All steps are run as the '''zimbra''' user.
 
+
# Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type '''$ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem  /tmp/'''
# Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type
+
# Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type '''$ scp <ldap_master>/tmp/ca.pem  /tmp/'''
'''$ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem  /tmp/'''
+
# Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type '''$ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem'''
 
+
To complete the installation, on the LDAP replica, complete the following steps.   
# Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type
+
# '''cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem'''
'''$ scp <ldap_master>/tmp/ca.pem  /tmp/'''
+
# '''cd /opt/zimbra/conf/ca'''
 
+
# '''ln -f -s master_ca.pem'''
# Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type
+
:'''/opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in'''
'''$ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem'''
+
:'''/opt/zimbra/conf/ca/master_ca.pem`.0'''
 
 
To complete the installation, on the LDAP replica, complete the following steps.  Type
 
 
 
'''# cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem'''
 
 
 
'''# cd /opt/zimbra/conf/ca'''
 
 
 
'''# ln -f -s master_ca.pem'''
 
'''/opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in'''
 
'''/opt/zimbra/conf/ca/master_ca.pem`.0'''
 
  
 
This creates a new CA '''master_ca.pem''' with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.
 
This creates a new CA '''master_ca.pem''' with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.

Revision as of 20:56, 5 October 2011

If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas. You cannot use the zmprov command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.

To install the CA certificate on the LDAP Replica, use the UNIX scp command to securely transfer the CA certificate between the servers

All steps are run as the zimbra user.

  1. Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type $ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem /tmp/
  2. Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type $ scp <ldap_master>/tmp/ca.pem /tmp/
  3. Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type $ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem

To complete the installation, on the LDAP replica, complete the following steps.

  1. cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem
  2. cd /opt/zimbra/conf/ca
  3. ln -f -s master_ca.pem
/opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in
/opt/zimbra/conf/ca/master_ca.pem`.0

This creates a new CA master_ca.pem with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.

Jump to: navigation, search