Installing a GeoTrust Commercial Certificate: Difference between revisions

No edit summary
No edit summary
Line 26: Line 26:
         mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
         mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
          
          
        Please note that as of July 22, 2010, GeoTrust uses an intermediate CA.
''''Please note that as of July 22, 2010, GeoTrust uses an intermediate CA.''''
         [https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 GeoTrust KB article]
         [https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 GeoTrust KB article]
         You will need to download the two files below and splice them together:
         You will need to download the two files below and splice them together:

Revision as of 18:40, 13 September 2010

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 5.0 Article ZCS 5.0 ZCS 4.5 Article ZCS 4.5


Installing a GeoTrust Commercial Certificate on ZCS 5.0.x

  • As Root:

1). move all the files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm -rf *

2. generate a new csr , please edit this line for your company details

       /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"

3.) get it signed

       Place SSL order and paste in the contents of commercial.csr
       Put the certificate into commercial.crt using cat or vi

4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )

       wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
       

'Please note that as of July 22, 2010, GeoTrust uses an intermediate CA.'

       GeoTrust KB article
       You will need to download the two files below and splice them together:
       wget https://knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/QuickSSL_CA_Bundle.pem
       wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer
       cat QuickSSL_CA_Bundle.pem GeoTrust_Global_CA.cer >> commercial_ca.crt

5. verify that the cert and key match

       /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

6. deploy the cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt

QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?

7. restart the webserver

       su - zimbra
       zmmailboxdctl restart

8. restart the proxy (for IMAP/POP)

       su - zimbra
       zmproxyctl restart
  • It's also very handy to have a copy of the comments for zmcertmgr around in a side window.


Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x

  • Commands are run as root or sudo user:

1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.backup.tar.gz *

2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below

       mkdir /tmp/renewalcert
       cd /tmp/renewalcert
       cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert
       wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
       vi /tmp/renewalcert/tmp.crt   [paste your new cert here]
       openssl x509 -in tmp.crt -out new.crt -text
       cat new.crt commercial_ca.crt > commercial.crt

3. Verify that cert, key and CA file match

       /opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key
Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match.
Valid Certificate: /tmp/renewalcert/commercial.crt: OK


4. Deploy the renewal cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return

** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/renewalcert/commercial.crt: OK
** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.


5. Restart zimbra

       su - zimbra
       zmcontrol stop; zmcontrol start;

Installing a GeoTrust Commercial Certificate on ZCS 4.5.x

These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.

1. ***Backup Your Keystore***

    sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak

2. su zimbra

3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)

#!/bin/bash
source /opt/zimbra/bin/zmshutil || exit 1
zmsetvars

CONF=/opt/zimbra/conf
TCONF=/opt/zimbra/tomcat/conf
B=/opt/zimbra/ssl
BASE=${B}/ssl

JAVA_HOME=${zimbra_java_home}
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then
        CACERTS=${JAVA_HOME}/lib/security/cacerts
else
        CACERTS=${JAVA_HOME}/jre/lib/security/cacerts
fi


TOMCAT=/opt/zimbra/tomcat/conf

rm -rf ${BASE}/newCA
mkdir -p ${BASE}/ca
mkdir -p ${BASE}/newCA/newcerts
touch ${BASE}/newCA/index.txt
mkdir -p ${BASE}/cert
mkdir -p ${BASE}/server

mkdir -p ${TCONF}

hostname=***Set this to your full domain name mail.domain.com***

if [ "x$1" != "x" ]; then
        hostname=$1
        shift;
fi

createConf() {
        ALTNAMES=""
        for alt in $*; do
                if [ "x$ALTNAMES" = "x" ]; then
                        ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"
                else
                        ALTNAMES="${ALTNAMES},DNS:${alt}"
                fi
        done
        cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \
                -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf
}


createKeyStore() {

        echo "** Creating keystore"
        echo

        rm -f ${TCONF}/keystore

        keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \
                -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \
                -storetype JKS -storepass zimbra -keypass zimbra

}

createCertReq() {

        echo "** Creating server cert request"
        echo

        openssl req -new -nodes -out ${BASE}/server/server.csr \
                -keyout ${BASE}/server/server.key -newkey rsa:1024 \
                -config ${BASE}/zmssl.cnf -batch

        keytool -certreq -keyalg RSA -alias tomcat -file \
                ${BASE}/server/tomcat.csr -keystore \
                ${TCONF}/keystore -storepass zimbra

        cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$
        cat /tmp/tomcat.csr.$$ | sed -e \
                's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \
                > ${BASE}/server/tomcat.csr

}

signCertReq() { 
        echo "** Signing cert request"
        echo

        openssl ca -out ${BASE}/server/server.crt -notext \
                -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \
                -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch

        cp ${BASE}/server/server.crt ${CONF}/slapd.crt
        cp ${BASE}/server/server.key ${CONF}/slapd.key
        cp ${BASE}/server/server.crt ${CONF}/perdition.pem
        cp ${BASE}/server/server.key ${CONF}/perdition.key
        mkdir -p ${CONF}/ca
        cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key
        cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem
}

createConf $@

createKeyStore

createCertReq

signCertReq

chmod -R 700 ${B}

4. Run this newly created script

Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.

5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem

6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt

This will convert the certificate into binary DER format which keytool likes.

You will also need to download the root ca from Geotrust this can be found at

    www.geotrust.com/resources/root_certificates/index.asp
         - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format
         - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format

7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt

8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)

9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra

11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)

12. If all went as planned you should now be able to access https://your.mailsite.com

13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.

14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.

         - su zimbra
         - /opt/zimbra/bin/zmcreateca
         - /opt/zimbra/bin/zmcreatecert
         - /opt/zimbra/bin/zmcertinstall

15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)

      /opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
  • Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.


Verified Against: ZCS 4.5.x & ZCS 5.0.x Date Created: 9/19/2008
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_GeoTrust_Commercial_Certificate Date Modified: 2010-09-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search