Installing a Gandi Commercial Certificate on ZCS: Difference between revisions

No edit summary
No edit summary
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
        *Everything as root ...
{{Archive}}{{Unsupported}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}Everything as root ...


* First copy all your gandi certificates, for instance in /tmp/gandi
* First copy all your gandi certificates, for instance in /tmp/gandi
Line 8: Line 8:




===== Create a bundle with user trust CA file and the Gandi CA file =====
* Create a bundle with user trust CA file and the Gandi CA file


         cd /tmp/gandi
         cd /tmp/gandi
Line 14: Line 14:




===== Backup the SSL commercial directory, then erase it =====
* Backup the SSL commercial directory, then erase it


         cd /opt/zimbra/ssl/zimbra/commercial/
         cd /opt/zimbra/ssl/zimbra/commercial/
Line 21: Line 21:




===== Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/ =====
* Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/


         #commercial.csr ( the certificate signing request that you sent to gandi )  
         #commercial.csr ( the certificate signing request that you sent to gandi )  
         cp /tmp/gandi/star-gandi.openforce.com.csr commercial.csr
         cp /tmp/gandi/star-gandi.mydomain.com.csr commercial.csr
 


         # commercial.key ( your private key )
         # commercial.key ( your private key )
         cp /tmp/gandi/star-gandi.openforce.com.key commercial.key
         cp /tmp/gandi/star-gandi.mydomain.com.key commercial.key


         # commercial_ca.crt( bundle created above )  
         # commercial_ca.crt( bundle created above )  
Line 34: Line 33:


         # Verify our Gandi Certificate against the private key
         # Verify our Gandi Certificate against the private key
         /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.openforce.com.crt  
         /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.mydomain.com.crt  


         ** Verifying /tmp/gandi/star-gandi.openforce.com.crt against commercial.key
         ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against commercial.key
         Certificate (/tmp/gandi/star-gandi.openforce.com.crt) and private key (commercial.key) match.
         Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (commercial.key) match.
         Valid Certificate: /tmp/gandi/star-gandi.openforce.com.crt: OK
         Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK


         # Verify our Gandi Certificate against the Certificate Authority Chain
         # Verify our Gandi Certificate against the Certificate Authority Chain
         /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.openforce.com.crt  
         /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.mydomain.com.crt  
         Valid Certificate Chain: /tmp/gandi/star-gandi.openforce.com.crt: OK
         Valid Certificate Chain: /tmp/gandi/star-gandi.mydomain.com.crt: OK


         # Deploy our Gandi Certificate
         # Deploy our Gandi Certificate
         /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.openforce.com.crt commercial_ca.crt  
         /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.mydomain.com.crt commercial_ca.crt  
         ** Verifying /tmp/gandi/star-gandi.openforce.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
         ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
         Certificate (/tmp/gandi/star-gandi.openforce.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
         Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
         Valid Certificate: /tmp/gandi/star-gandi.openforce.com.crt: OK
         Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
         ** Copying /tmp/gandi/star-gandi.openforce.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
         ** Copying /tmp/gandi/star-gandi.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
         ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
         ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
         cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
         cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
Line 61: Line 60:
         ** Installing CA to /opt/zimbra/conf/ca...done.
         ** Installing CA to /opt/zimbra/conf/ca...done.


Restart the zimbra and have a look at the log:
*Restart the zimbra and have a look at the log:
<code> 
 
         /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log
         /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log
</code>


ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR:  
* '''ON ZIMBRA 6''' IF YOU GET THE FOLLOWING ERROR:  
<code>
<code>
cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed:                  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed:                  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
</code>
</code>
* Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )
Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )


         /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
         /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
* Gandi people if you read this please send me a t-shirt :)  You can contact me to via the talk page.
{{Article Footer|unknown|2/1/2010}}
[[Category:Certificates]]
[[Category:ZCS 7.0]]
[[Category:ZCS 6.0]]

Latest revision as of 12:17, 30 March 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0

Everything as root ...

  • First copy all your gandi certificates, for instance in /tmp/gandi

Gandi is not a top level Certifying Authority, so we need some extra certificates

       aptitude install ca-certificates


  • Create a bundle with user trust CA file and the Gandi CA file
       cd /tmp/gandi
       cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem


  • Backup the SSL commercial directory, then erase it
       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm  *


  • Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
        #commercial.csr ( the certificate signing request that you sent to gandi ) 
        cp /tmp/gandi/star-gandi.mydomain.com.csr commercial.csr
        # commercial.key ( your private key )
        cp /tmp/gandi/star-gandi.mydomain.com.key commercial.key
        # commercial_ca.crt( bundle created above ) 
        cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
        # Verify our Gandi Certificate against the private key
        /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.mydomain.com.crt 
        ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against commercial.key
        Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (commercial.key) match.
        Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        # Verify our Gandi Certificate against the Certificate Authority Chain
        /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.mydomain.com.crt 
        Valid Certificate Chain: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        # Deploy our Gandi Certificate
        /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.mydomain.com.crt commercial_ca.crt 
        ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
        Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
        Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
        ** Copying /tmp/gandi/star-gandi.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
        ** Saving server config key zimbraSSLCertificate...failed.
        ** Saving server config key zimbraSSLPrivateKey...failed.
        ** Installing mta certificate and key...done.
        ** Installing slapd certificate and key...done.
        ** Installing proxy certificate and key...done.
        ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
        ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
        ** Installing CA to /opt/zimbra/conf/ca...done.
  • Restart the zimbra and have a look at the log:
        /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log
  • ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR:

cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )

        /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
  • Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page.


Verified Against: unknown Date Created: 2/1/2010
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_Gandi_Commercial_Certificate_on_ZCS Date Modified: 2015-03-30



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search