Installing Certificates from the Master LDAP to a LDAP Replica
If you install new certificates on the LDAP master, and those certificates use a new Certificate Authority (CA) certificate, that CA certificate must be manually installed on LDAP replicas. You cannot use the zmprov command to download this cert from the LDAP master because the LDAP replica will not yet have a copy of the new CA certificate against which to validate the master's new certificates.
To install the CA certificate on the LDAP Replica, use the UNIX scp command to securely transfer the CA certificate between the servers
All steps are run as the zimbra user.
- Copy the ca certificate, ca.pem on the LDAP Master to the directory /tmp/. To do this type
$ sudo cp /opt/zimbra/ssl/zimbra/ca/ca.pem /tmp/
- Use scp to securely transfer the ca.pem certificate file from the LDAP master. On the LDAP Replica, type
$ scp <ldap_master>/tmp/ca.pem /tmp/
- Import the ca.pem file in the /tmp/ directory into the LDAP Replica's keystore, type
$ sudo /opt/zimbra/bin/zmcertmgr addcacert /tmp/ca.pem
To complete the installation, on the LDAP replica, complete the following steps. Type
#cp /tmp/ca.pem /opt/zimbra/conf/ca/master_ca.pem
#ln -f -s master_ca.pem /opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/master_ca.pem`.0
This will create a new CA master_ca.pem with its own x509 hash that the LDAP replica can use to validate against the LDAP master, while still being able to present its own CA for ldapsearch and other non-java utilities talking to this server.