Installing a Gandi Commercial Certificate on ZCS
Everything as root ...
First copy all your gandi certificates, for instance in /tmp/gandi
Gandi is not a top level Certifying Authority, so we need some extra certificates
aptitude install ca-certificates
Create a bundle with user trust CA file and the Gandi CA file
cd /tmp/gandi
cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem
Backup the SSL commercial directory, then erase it
cd /opt/zimbra/ssl/zimbra/commercial/
tar -czvf /tmp/ssl.commercial.tar.gz *
rm *
Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
- commercial.csr ( the certificate signing request that you sent to gandi )
cp /tmp/gandi/star-gandi.openforce.com.csr commercial.csr
- commercial.key ( your private key )
cp /tmp/gandi/star-gandi.openforce.com.key commercial.key
- commercial_ca.crt( bundle created above )
cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
- Verify our Gandi Certificate against the private key
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/star-gandi.openforce.com.crt
- Verifying /tmp/gandi/star-gandi.openforce.com.crt against commercial.key
Certificate (/tmp/gandi/star-gandi.openforce.com.crt) and private key (commercial.key) match.
Valid Certificate: /tmp/gandi/star-gandi.openforce.com.crt: OK
- Verify our Gandi Certificate against the Certificate Authority Chain
/opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/star-gandi.openforce.com.crt
Valid Certificate Chain: /tmp/gandi/star-gandi.openforce.com.crt: OK
- Deploy our Gandi Certificate
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/star-gandi.openforce.com.crt commercial_ca.crt
- Verifying /tmp/gandi/star-gandi.openforce.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/gandi/star-gandi.openforce.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/gandi/star-gandi.openforce.com.crt: OK
- Copying /tmp/gandi/star-gandi.openforce.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
- Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
- Saving server config key zimbraSSLCertificate...failed.
- Saving server config key zimbraSSLPrivateKey...failed.
- Installing mta certificate and key...done.
- Installing slapd certificate and key...done.
- Installing proxy certificate and key...done.
- Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
- Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
- Installing CA to /opt/zimbra/conf/ca...done.
Restart the zimbra and have a look at the log:
/etc/init.d/zimbra restart ; tail -f /opt/zimbra/log/*.log
ON ZIMBRA 6 IF YOU GET THE FOLLOWING ERROR:
cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Install Gandi SSL CA in the java keystore ( according to http://www.zimbrafr.org/forum/viewtopic.php?id=2017. Thanks Yvon ! )
/opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
