Installing a Gandi Commercial Certificate on ZCS: Difference between revisions
No edit summary |
No edit summary |
||
(10 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Archive}}{{Unsupported}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}Everything as root ... | |||
* First copy all your gandi certificates, for instance in /tmp/gandi | * First copy all your gandi certificates, for instance in /tmp/gandi | ||
Line 8: | Line 8: | ||
* Create a bundle with user trust CA file and the Gandi CA file | |||
cd /tmp/gandi | cd /tmp/gandi | ||
Line 14: | Line 14: | ||
* Backup the SSL commercial directory, then erase it | |||
cd /opt/zimbra/ssl/zimbra/commercial/ | cd /opt/zimbra/ssl/zimbra/commercial/ | ||
Line 21: | Line 21: | ||
* Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/ | |||
#commercial.csr ( the certificate signing request that you sent to gandi ) | #commercial.csr ( the certificate signing request that you sent to gandi ) | ||
cp /tmp/gandi/star-gandi. | cp /tmp/gandi/star-gandi.mydomain.com.csr commercial.csr | ||
# commercial.key ( your private key ) | # commercial.key ( your private key ) | ||
cp /tmp/gandi/star-gandi. | cp /tmp/gandi/star-gandi.mydomain.com.key commercial.key | ||
# commercial_ca.crt( bundle created above ) | # commercial_ca.crt( bundle created above ) | ||
Line 34: | Line 33: | ||
# Verify our Gandi Certificate against the private key | # Verify our Gandi Certificate against the private key | ||
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi. | /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.mydomain.com.crt | ||
** Verifying /tmp/gandi/star-gandi. | ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against commercial.key | ||
Certificate (/tmp/gandi/star-gandi. | Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (commercial.key) match. | ||
Valid Certificate: /tmp/gandi/star-gandi. | Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK | ||
# Verify our Gandi Certificate against the Certificate Authority Chain | # Verify our Gandi Certificate against the Certificate Authority Chain | ||
/opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi. | /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.mydomain.com.crt | ||
Valid Certificate Chain: /tmp/gandi/star-gandi. | Valid Certificate Chain: /tmp/gandi/star-gandi.mydomain.com.crt: OK | ||
# Deploy our Gandi Certificate | # Deploy our Gandi Certificate | ||
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi. | /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.mydomain.com.crt commercial_ca.crt | ||
** Verifying /tmp/gandi/star-gandi. | ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key | ||
Certificate (/tmp/gandi/star-gandi. | Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. | ||
Valid Certificate: /tmp/gandi/star-gandi. | Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK | ||
** Copying /tmp/gandi/star-gandi. | ** Copying /tmp/gandi/star-gandi.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | ||
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | ||
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file | cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file | ||
Line 61: | Line 60: | ||
** Installing CA to /opt/zimbra/conf/ca...done. | ** Installing CA to /opt/zimbra/conf/ca...done. | ||
Restart the zimbra and have a look at the log: | *Restart the zimbra and have a look at the log: | ||
/etc/init.d/zimbra restart ; tail -f /opt/zimbra/log/*.log | /etc/init.d/zimbra restart ; tail -f /opt/zimbra/log/*.log | ||
ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR: | * '''ON ZIMBRA 6''' IF YOU GET THE FOLLOWING ERROR: | ||
<code> | <code> | ||
cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | ||
</code> | </code> | ||
Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! ) | |||
/opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem | /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem | ||
* Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page. | |||
{{Article Footer|unknown|2/1/2010}} | |||
[[Category:Certificates]] | |||
[[Category:ZCS 7.0]] | |||
[[Category:ZCS 6.0]] |
Latest revision as of 12:17, 30 March 2015
Article Information |
---|
This article applies to the following ZCS versions. |
Everything as root ...
- First copy all your gandi certificates, for instance in /tmp/gandi
Gandi is not a top level Certifying Authority, so we need some extra certificates
aptitude install ca-certificates
- Create a bundle with user trust CA file and the Gandi CA file
cd /tmp/gandi cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem
- Backup the SSL commercial directory, then erase it
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.tar.gz * rm *
- Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
#commercial.csr ( the certificate signing request that you sent to gandi ) cp /tmp/gandi/star-gandi.mydomain.com.csr commercial.csr
# commercial.key ( your private key ) cp /tmp/gandi/star-gandi.mydomain.com.key commercial.key
# commercial_ca.crt( bundle created above ) cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
# Verify our Gandi Certificate against the private key /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.mydomain.com.crt
** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against commercial.key Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (commercial.key) match. Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK
# Verify our Gandi Certificate against the Certificate Authority Chain /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.mydomain.com.crt Valid Certificate Chain: /tmp/gandi/star-gandi.mydomain.com.crt: OK
# Deploy our Gandi Certificate /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.mydomain.com.crt commercial_ca.crt ** Verifying /tmp/gandi/star-gandi.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/gandi/star-gandi.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/gandi/star-gandi.mydomain.com.crt: OK ** Copying /tmp/gandi/star-gandi.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file ** Saving server config key zimbraSSLCertificate...failed. ** Saving server config key zimbraSSLPrivateKey...failed. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done.
- Restart the zimbra and have a look at the log:
/etc/init.d/zimbra restart ; tail -f /opt/zimbra/log/*.log
- ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR:
cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )
/opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
- Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page.