Difference between revisions of "Installing DigiCert commercial certificates"

(File preparation)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}}
+
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Installing DigiCert Commercial Certificates=
 +
{{WIP}}
  
== Zimbra CSR ==                           
+
Obtain all the certificate files from Digicert and place them in a folder <code>/tmp/digicert</code> on your Zimbra server. Then create <code>commercial_ca.crt</code> as described below and verify and deploy:
  
To generate the certificate signature request (CSR) use the command (all commands in this wiki are run as ''root'' in an arbitrary work directory):
+
<pre>mkdir /tmp/digicert
 +
cd  /tmp/digicert
 +
wget https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem
 +
wget https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
 +
cat DigiCertTLSRSASHA2562020CA1-1.crt.pem &gt; commercial_ca.crt
 +
cat DigiCertGlobalRootCA.crt.pem &gt;&gt; commercial_ca.crt
  
<code>
+
cp example.com.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
    /opt/zimbra/bin/zmcertmgr createcsr comm -subject '/C=FR/ST=N\/A/L=N\/A/O=Your Company/OU=Your Department/CN=webmail.foo.com'
 
</code>                               
 
                                                                               
 
The CSR is stored in ''/opt/zimbra/ssl/zimbra/commercial/commercial.csr''.
 
       
 
The private key is in ''/opt/zimbra/ssl/zimbra/commercial/commercial.key''.
 
  
Use the flag "''-subjectAltNames host1,host2''" if you need to specify host aliases.
+
zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/digicert/example.com.crt /tmp/digicert/commercial_ca.crt
  
Verify your CSR with:
+
# should return OK
 +
zmcertmgr deploycrt comm /tmp/digicert/example.com.crt /tmp/digicert/commercial_ca.crt
  
<code>
+
# to load the changes:
    /opt/zimbra/openssl/bin/openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr
+
zmcontrol restart</pre>
</code>
 
 
 
 
 
== Certificates ==
 
 
 
Buy the certificate in http://www.digicert.com (create a customer
 
account if you don't have one already) and purchase the certificate.
 
Copy and paste the CSR file when requested. Take into account that certificates prices vary depending on the number of aliases you have in your CSR.
 
 
 
Fill the address (coherent with your domain owner address) and a valid e-mail contact.
 
 
 
After payment approval a validation e-mail is sent to the previous e-mail address and if all
 
the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.
 
 
 
The ZIP file contains 4 certificates :
 
 
 
* a - The site certificate corresponding to the CSR (host_name_com.crt)
 
* b - DigiCert's CA certificate (DigiCertCA.crt)
 
* c - DigiCert's High Assurance CA (DigiCertCA2.crt)
 
* d - Trusted Root certificate (TrustedRoot.crt)
 
 
 
Verify that all files end with an end of line. If not sure add an empty line at the end of each file.
 
 
 
== File preparation ==
 
 
 
- Copy the server certificate to the file
 
 
 
<code>
 
    commercial.crt
 
</code>
 
 
 
- Concatenate Digicert's CA certificate, Digicert's High Assurance CA certificate and the "''Trusted Root''" certificate into a single file named commercial_ca.crt:
 
 
 
<code>
 
    cat DigiCertCA.crt DigiCertCA2.crt TrustedRoot.crt > commercial_ca.crt
 
</code>
 
 
 
- Validate the trust chain with the command:
 
<code>
 
    /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
 
</code>
 
 
 
it should say "''commercial.crt: OK''"
 
 
 
== Deploy certificates ==
 
 
 
Deploy the new certificates with:
 
<code>
 
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
 
</code>
 
 
 
then restart Zimbra.
 
 
 
{{Article Footer|unknown|6/16/2010}}
 
  
 
[[Category:Certificates]]
 
[[Category:Certificates]]
[[Category:ZCS 6.0]]
+
[[Category:ZCS 8.0]]
[[Category:ZCS 5.0]]
+
[[Category:ZCS 9.0]]

Latest revision as of 13:55, 28 March 2022

Installing DigiCert Commercial Certificates


Obtain all the certificate files from Digicert and place them in a folder /tmp/digicert on your Zimbra server. Then create commercial_ca.crt as described below and verify and deploy:

mkdir /tmp/digicert
cd  /tmp/digicert
wget https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem
wget https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
cat DigiCertTLSRSASHA2562020CA1-1.crt.pem > commercial_ca.crt
cat DigiCertGlobalRootCA.crt.pem >> commercial_ca.crt

cp example.com.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/digicert/example.com.crt /tmp/digicert/commercial_ca.crt

# should return OK
zmcertmgr deploycrt comm /tmp/digicert/example.com.crt /tmp/digicert/commercial_ca.crt

# to load the changes:
zmcontrol restart
Jump to: navigation, search