Installing DigiCert commercial certificates: Difference between revisions
No edit summary |
No edit summary |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Community Sandbox}} | |||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Installing DigiCert Commercial Certificates= | |||
{{KB|{{Unsupported}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}} | |||
{{Archive}}{{WIP}} | |||
== Zimbra CSR == | == Zimbra CSR == | ||
Line 31: | Line 38: | ||
the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file. | the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file. | ||
The | The ZIP file contains 4 certificates : | ||
* a - The site certificate corresponding to the CSR (host_name_com.crt) | |||
* b - DigiCert's CA certificate (DigiCertCA.crt) | |||
* c - DigiCert's High Assurance CA (DigiCertCA2.crt) | |||
* d - Trusted Root certificate (TrustedRoot.crt) | |||
Verify that all files end with an end of line. If not sure add an empty line at the end of each file. | |||
== File preparation == | == File preparation == | ||
- Copy the server certificate | - Copy the server certificate to the file | ||
<code> | <code> | ||
Line 53: | Line 55: | ||
</code> | </code> | ||
- Concatenate Digicert's CA certificate | - Concatenate Digicert's CA certificate, Digicert's High Assurance CA certificate and the "''Trusted Root''" certificate into a single file named commercial_ca.crt: | ||
<code> | <code> | ||
commercial_ca.crt | cat DigiCertCA.crt DigiCertCA2.crt TrustedRoot.crt > commercial_ca.crt | ||
</code> | </code> | ||
* Note: When using the admin interface via the web you must do the above step and use this as your "root" certificate. It will not work to upload each individually into the admin form. | |||
- Validate the trust chain with the command: | - Validate the trust chain with the command: | ||
Line 74: | Line 78: | ||
then restart Zimbra. | then restart Zimbra. | ||
{{Article Footer|unknown|6/16/2010}} | |||
[[Category:Certificates]] | |||
[[Category:ZCS 6.0]] |
Revision as of 09:45, 12 July 2015
Installing DigiCert Commercial Certificates
Zimbra CSR
To generate the certificate signature request (CSR) use the command (all commands in this wiki are run as root in an arbitrary work directory):
/opt/zimbra/bin/zmcertmgr createcsr comm -subject '/C=FR/ST=N\/A/L=N\/A/O=Your Company/OU=Your Department/CN=webmail.foo.com'
The CSR is stored in /opt/zimbra/ssl/zimbra/commercial/commercial.csr.
The private key is in /opt/zimbra/ssl/zimbra/commercial/commercial.key.
Use the flag "-subjectAltNames host1,host2" if you need to specify host aliases.
Verify your CSR with:
/opt/zimbra/openssl/bin/openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr
Certificates
Buy the certificate in http://www.digicert.com (create a customer account if you don't have one already) and purchase the certificate. Copy and paste the CSR file when requested. Take into account that certificates prices vary depending on the number of aliases you have in your CSR.
Fill the address (coherent with your domain owner address) and a valid e-mail contact.
After payment approval a validation e-mail is sent to the previous e-mail address and if all the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.
The ZIP file contains 4 certificates :
- a - The site certificate corresponding to the CSR (host_name_com.crt)
- b - DigiCert's CA certificate (DigiCertCA.crt)
- c - DigiCert's High Assurance CA (DigiCertCA2.crt)
- d - Trusted Root certificate (TrustedRoot.crt)
Verify that all files end with an end of line. If not sure add an empty line at the end of each file.
File preparation
- Copy the server certificate to the file
commercial.crt
- Concatenate Digicert's CA certificate, Digicert's High Assurance CA certificate and the "Trusted Root" certificate into a single file named commercial_ca.crt:
cat DigiCertCA.crt DigiCertCA2.crt TrustedRoot.crt > commercial_ca.crt
- Note: When using the admin interface via the web you must do the above step and use this as your "root" certificate. It will not work to upload each individually into the admin form.
- Validate the trust chain with the command:
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
it should say "commercial.crt: OK"
Deploy certificates
Deploy the new certificates with:
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
then restart Zimbra.