Difference between revisions of "Installing DigiCert commercial certificates"

(Certificates)
Line 33: Line 33:
 
the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.
 
the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.
  
The PEM file delivered by e-mail contains 3 certificates :
+
The ZIP file contains 4 certificates :
  
* a - The site certificate corresponding to the CSR
+
* a - The site certificate corresponding to the CSR (host_name_com.crt)
* b - DigiCert's CA certificate
+
* b - DigiCert's CA certificate (DigiCertCA.crt)
* c - DigiCert's High Assurance CA
+
* c - DigiCert's High Assurance CA (DigiCertCA2.crt)
 
+
* d - Trusted Root certificate (TrustedRoot.crt)
To complete the trust chain, a 4th certificate is needed, the "''Trusted Root''" CRT.
 
This one can be obtained from the customer's management interface by clicking
 
on the "''Server Certificate''" logo on the left. A pop-up window will show the
 
3 previous certificates plus the "''Trusted Root''" certificate.
 
 
 
Download the "''Trusted Root''" certificate.
 
  
 +
Verify that all files end with an end of line. If not sure add an empty line at the end of each file.
  
 
== File preparation ==
 
== File preparation ==

Revision as of 08:29, 15 December 2010

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 6.0 Article ZCS 6.0 ZCS 5.0 Article ZCS 5.0


Zimbra CSR

To generate the certificate signature request (CSR) use the command (all commands in this wiki are run as root in an arbitrary work directory):

   /opt/zimbra/bin/zmcertmgr createcsr comm -subject '/C=FR/ST=N\/A/L=N\/A/O=Your Company/OU=Your Department/CN=webmail.foo.com'

The CSR is stored in /opt/zimbra/ssl/zimbra/commercial/commercial.csr.

The private key is in /opt/zimbra/ssl/zimbra/commercial/commercial.key.

Use the flag "-subjectAltNames host1,host2" if you need to specify host aliases.

Verify your CSR with:

   /opt/zimbra/openssl/bin/openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr


Certificates

Buy the certificate in http://www.digicert.com (create a customer account if you don't have one already) and purchase the certificate. Copy and paste the CSR file when requested. Take into account that certificates prices vary depending on the number of aliases you have in your CSR.

Fill the address (coherent with your domain owner address) and a valid e-mail contact.

After payment approval a validation e-mail is sent to the previous e-mail address and if all the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.

The ZIP file contains 4 certificates :

  • a - The site certificate corresponding to the CSR (host_name_com.crt)
  • b - DigiCert's CA certificate (DigiCertCA.crt)
  • c - DigiCert's High Assurance CA (DigiCertCA2.crt)
  • d - Trusted Root certificate (TrustedRoot.crt)

Verify that all files end with an end of line. If not sure add an empty line at the end of each file.

File preparation

- Copy the server certificate (first block of the PEM file) to the file

   commercial.crt

- Concatenate Digicert's CA certificate (2nd block of the PEM), Digicert's High Assurance CA certificate (3rd block of the PEM) and the "Trusted Root" certificate (downloaded separately) into a single file named:

   commercial_ca.crt

- Validate the trust chain with the command:

   /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt

it should say "commercial.crt: OK"


Deploy certificates

Deploy the new certificates with: /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

then restart Zimbra.

Verified Against: unknown Date Created: 6/16/2010
Article ID: https://wiki.zimbra.com/index.php?title=Installing_DigiCert_commercial_certificates Date Modified: 2010-12-15



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search