Installing Certificates from the Master LDAP to a LDAP Replica

Revision as of 21:03, 5 October 2011 by Gayle (talk | contribs)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0

If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas. You cannot use the zmprov command to download this certificate from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.

To install the CA certificate on the LDAP Replica, use the UNIX scp command to securely transfer the CA certificate between the servers

All steps are run as the zimbra user.

  1. Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type $ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem /tmp/
  2. Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type $ scp <ldap_master>/tmp/ca.pem /tmp/
  3. Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type $ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem

To complete the installation, on the LDAP replica, complete the following steps.

  1. cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem
  2. cd /opt/zimbra/conf/ca
  3. ln -f -s master_ca.pem
/opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in
/opt/zimbra/conf/ca/master_ca.pem`.0

This creates a new CA master_ca.pem with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.

Jump to: navigation, search