Difference between revisions of "Installing Certificates from the Master LDAP to a LDAP Replica"

Line 1: Line 1:
If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas.  You cannot use the '''zmprov''' command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.
+
{{Article Infobox|{{admin}}|{{ZCS 7.0}}||}}If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas.  You cannot use the '''zmprov''' command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.
  
 
To install the CA certificate on the LDAP Replica, use the UNIX '''scp''' command to securely transfer the CA certificate between the servers
 
To install the CA certificate on the LDAP Replica, use the UNIX '''scp''' command to securely transfer the CA certificate between the servers

Revision as of 21:03, 5 October 2011

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0

If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas. You cannot use the zmprov command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.

To install the CA certificate on the LDAP Replica, use the UNIX scp command to securely transfer the CA certificate between the servers

All steps are run as the zimbra user.

  1. Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type $ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem /tmp/
  2. Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type $ scp <ldap_master>/tmp/ca.pem /tmp/
  3. Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type $ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem

To complete the installation, on the LDAP replica, complete the following steps.

  1. cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem
  2. cd /opt/zimbra/conf/ca
  3. ln -f -s master_ca.pem
/opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in
/opt/zimbra/conf/ca/master_ca.pem`.0

This creates a new CA master_ca.pem with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.

Jump to: navigation, search