Installing a GeoTrust Commercial Certificate: Difference between revisions
(Adding article footer and category) |
No edit summary |
||
(16 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Community Sandbox}} | |||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | |||
=Installing a GeoTrust Commercial Certificate= | |||
{{KB|{{Unsupported}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}} | |||
{{Archive}}{{WIP}} | |||
=Installing a GeoTrust Commercial Certificate on ZCS 6.0.x using the Cross Root certificate= | |||
In July 2010, GeoTrust issues a new root certificate. Many mobile devices and mail clients do not yet support the new Geotrust root. In those cases | |||
you should be able to use these instructions on Zimbra 6.x to allow the non-trusting devices to trust your newly issued server certificate. | |||
*As Root: | |||
'''1). move all the files in /opt/zimbra/ssl/zimbra/commercial''' | |||
cd /opt/zimbra/ssl/zimbra/commercial/ | |||
tar -czvf /tmp/ssl.commercial.tar.gz * | |||
rm -rf * | |||
'''2. generate a new csr , please edit this line for your company details''' | |||
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy" | |||
'''3.) get it signed''' | |||
Place SSL order and paste in the contents of commercial.csr | |||
Put the certificate into commercial.crt using cat or vi | |||
'''4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geotrust.com/resources/root-certificates/ )''' | |||
GeoTrust issued a new root certificate in 2010. If you need to support mobile devices and mail clients that don't yet have the new Geotrust root, | |||
you will need the Geotrust Cross Root certificate located here... | |||
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426 | |||
Grab the original Equifax root certificate from here... | |||
wget http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer | |||
Please note that as of July 22, 2010, GeoTrust switched to 2048 bit certs and requires the use of an intermediate CA. The link to your intermediate | |||
CA should have been included in the email from GeoTrust with your new server certificate. | |||
Use cat or vi to put the intermediate, cross root, and root certs together in the commercial_ca.crt file. The order they appear is important. Intermediate | |||
should be on top, cross root in the middle, and Equifax root on the bottom. Be sure no extra line breaks or spaces exist in the file. | |||
[ Intermediate ] | |||
[ Cross Root ] | |||
[ Equifax Root ] | |||
'''5. verify that the cert and key match''' | |||
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt | |||
should return | |||
** Verifying commercial.crt against commercial.key | |||
Certificate (commercial.crt) and private key (commercial.key) match. | |||
'''6. deploy the cert''' | |||
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt | |||
should return | |||
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key | |||
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. | |||
Valid Certificate: commercial.crt: OK | |||
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | |||
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file | |||
** Saving server config key zimbraSSLCertificate...done. | |||
** Saving server config key zimbraSSLPrivateKey...done. | |||
** Installing mta certificate and key...done. | |||
** Installing slapd certificate and key...done. | |||
** Installing proxy certificate and key...done. | |||
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/YOUR.SERVER.NAME.pkcs12...done. | |||
** Creating keystore file /opt/zimbra/conf/keystore...done. | |||
** Installing CA to /opt/zimbra/conf/ca...done. | |||
'''(Proxy Install) 7. If you run Zimbra Proxy in front of all your mailbox servers, you only need the certificate created for and installed on that one server. Restart the proxy (for IMAP/POP/HTTP). | |||
su - zimbra | |||
zmproxyctl restart | |||
'''(Mailbox Install) 8. If you are installing a commercial certificate on each mailbox, restart mailboxd and the proxy (for IMAP/POP) | |||
su - zimbra | |||
zmmailboxdctl restart | |||
su - zimbra | |||
zmproxyctl restart | |||
''' 9. Verify your certificate looks correct externally. | |||
http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=SERVER.DOMAIN.NAME&protocol=https | |||
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window. | |||
=Installing a GeoTrust Commercial Certificate on ZCS 5.0.x= | |||
*As Root: | |||
'''1). move all the files in /opt/zimbra/ssl/zimbra/commercial''' | |||
cd /opt/zimbra/ssl/zimbra/commercial/ | |||
tar -czvf /tmp/ssl.commercial.tar.gz * | |||
rm -rf * | |||
'''2. generate a new csr , please edit this line for your company details''' | |||
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy" | |||
'''3.) get it signed''' | |||
Place SSL order and paste in the contents of commercial.csr | |||
Put the certificate into commercial.crt using cat or vi | |||
'''4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )''' | |||
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer | |||
mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt | |||
Please note that as of July 22, 2010, GeoTrust uses an intermediate CA. | |||
[https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 GeoTrust KB article] | |||
You will need to download the two files below and splice them together: | |||
wget https://knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/QuickSSL_CA_Bundle.pem | |||
wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer | |||
cat QuickSSL_CA_Bundle.pem GeoTrust_Global_CA.cer >> commercial_ca.crt | |||
'''5. verify that the cert and key match''' | |||
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt | |||
should return | |||
** Verifying commercial.crt against commercial.key | |||
Certificate (commercial.crt) and private key (commercial.key) match. | |||
Valid Certificate: commercial.crt: OK | |||
'''6. deploy the cert''' | |||
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt | |||
QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here? | |||
'''7. restart the webserver | |||
su - zimbra | |||
zmmailboxdctl restart | |||
'''8. restart the proxy (for IMAP/POP) | |||
su - zimbra | |||
zmproxyctl restart | |||
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window. | |||
==Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x== | |||
*Commands are run as root or sudo user: | |||
'''1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial''' | |||
cd /opt/zimbra/ssl/zimbra/commercial/ | |||
tar -czvf /tmp/ssl.commercial.backup.tar.gz * | |||
'''2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below''' | |||
mkdir /tmp/renewalcert | |||
cd /tmp/renewalcert | |||
cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert | |||
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer | |||
mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt | |||
vi /tmp/renewalcert/tmp.crt [paste your new cert here] | |||
openssl x509 -in tmp.crt -out new.crt -text | |||
cat new.crt commercial_ca.crt > commercial.crt | |||
'''3. Verify that cert, key and CA file match''' | |||
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt | |||
should return | |||
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key | |||
Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match. | |||
Valid Certificate: /tmp/renewalcert/commercial.crt: OK | |||
'''4. Deploy the renewal cert''' | |||
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt | |||
should return | |||
** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key | |||
Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. | |||
Valid Certificate: /tmp/renewalcert/commercial.crt: OK | |||
** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | |||
** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt | |||
** Saving server config key zimbraSSLCertificate...done. | |||
** Saving server config key zimbraSSLPrivateKey...done. | |||
** Installing mta certificate and key...done. | |||
** Installing slapd certificate and key...done. | |||
** Installing proxy certificate and key...done. | |||
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. | |||
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. | |||
** Installing CA to /opt/zimbra/conf/ca...done. | |||
'''5. Restart zimbra | |||
su - zimbra | |||
zmcontrol stop; zmcontrol start; | |||
=Installing a GeoTrust Commercial Certificate on ZCS 4.5.x= | =Installing a GeoTrust Commercial Certificate on ZCS 4.5.x= | ||
Line 158: | Line 373: | ||
*Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification. | *Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification. | ||
{{Article Footer| | {{Article Footer|Zimbra Collaboration 6.0, 5.0|9/19/2008}} | ||
[[Category:Certificates]] | [[Category:Certificates]] |
Latest revision as of 09:32, 12 July 2015
Installing a GeoTrust Commercial Certificate
Installing a GeoTrust Commercial Certificate on ZCS 6.0.x using the Cross Root certificate
In July 2010, GeoTrust issues a new root certificate. Many mobile devices and mail clients do not yet support the new Geotrust root. In those cases you should be able to use these instructions on Zimbra 6.x to allow the non-trusting devices to trust your newly issued server certificate.
- As Root:
1). move all the files in /opt/zimbra/ssl/zimbra/commercial
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.tar.gz * rm -rf *
2. generate a new csr , please edit this line for your company details
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"
3.) get it signed
Place SSL order and paste in the contents of commercial.csr Put the certificate into commercial.crt using cat or vi
4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geotrust.com/resources/root-certificates/ )
GeoTrust issued a new root certificate in 2010. If you need to support mobile devices and mail clients that don't yet have the new Geotrust root, you will need the Geotrust Cross Root certificate located here... https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426
Grab the original Equifax root certificate from here... wget http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer Please note that as of July 22, 2010, GeoTrust switched to 2048 bit certs and requires the use of an intermediate CA. The link to your intermediate CA should have been included in the email from GeoTrust with your new server certificate. Use cat or vi to put the intermediate, cross root, and root certs together in the commercial_ca.crt file. The order they appear is important. Intermediate should be on top, cross root in the middle, and Equifax root on the bottom. Be sure no extra line breaks or spaces exist in the file.
[ Intermediate ] [ Cross Root ] [ Equifax Root ]
5. verify that the cert and key match
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match.
6. deploy the cert
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
should return
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: commercial.crt: OK ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/YOUR.SERVER.NAME.pkcs12...done. ** Creating keystore file /opt/zimbra/conf/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done.
(Proxy Install) 7. If you run Zimbra Proxy in front of all your mailbox servers, you only need the certificate created for and installed on that one server. Restart the proxy (for IMAP/POP/HTTP).
su - zimbra zmproxyctl restart
(Mailbox Install) 8. If you are installing a commercial certificate on each mailbox, restart mailboxd and the proxy (for IMAP/POP)
su - zimbra zmmailboxdctl restart
su - zimbra zmproxyctl restart
9. Verify your certificate looks correct externally.
http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=SERVER.DOMAIN.NAME&protocol=https
- It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
Installing a GeoTrust Commercial Certificate on ZCS 5.0.x
- As Root:
1). move all the files in /opt/zimbra/ssl/zimbra/commercial
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.tar.gz * rm -rf *
2. generate a new csr , please edit this line for your company details
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"
3.) get it signed
Place SSL order and paste in the contents of commercial.csr Put the certificate into commercial.crt using cat or vi
4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt Please note that as of July 22, 2010, GeoTrust uses an intermediate CA. GeoTrust KB article You will need to download the two files below and splice them together: wget https://knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/QuickSSL_CA_Bundle.pem wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer cat QuickSSL_CA_Bundle.pem GeoTrust_Global_CA.cer >> commercial_ca.crt
5. verify that the cert and key match
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK
6. deploy the cert
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?
7. restart the webserver
su - zimbra zmmailboxdctl restart
8. restart the proxy (for IMAP/POP)
su - zimbra zmproxyctl restart
- It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x
- Commands are run as root or sudo user:
1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.backup.tar.gz *
2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below
mkdir /tmp/renewalcert cd /tmp/renewalcert cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt vi /tmp/renewalcert/tmp.crt [paste your new cert here] openssl x509 -in tmp.crt -out new.crt -text cat new.crt commercial_ca.crt > commercial.crt
3. Verify that cert, key and CA file match
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match. Valid Certificate: /tmp/renewalcert/commercial.crt: OK
4. Deploy the renewal cert
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return ** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/renewalcert/commercial.crt: OK ** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done.
5. Restart zimbra
su - zimbra zmcontrol stop; zmcontrol start;
Installing a GeoTrust Commercial Certificate on ZCS 4.5.x
These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.
1. ***Backup Your Keystore***
sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak
2. su zimbra
3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)
#!/bin/bash source /opt/zimbra/bin/zmshutil || exit 1 zmsetvars CONF=/opt/zimbra/conf TCONF=/opt/zimbra/tomcat/conf B=/opt/zimbra/ssl BASE=${B}/ssl JAVA_HOME=${zimbra_java_home} if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then CACERTS=${JAVA_HOME}/lib/security/cacerts else CACERTS=${JAVA_HOME}/jre/lib/security/cacerts fi TOMCAT=/opt/zimbra/tomcat/conf rm -rf ${BASE}/newCA mkdir -p ${BASE}/ca mkdir -p ${BASE}/newCA/newcerts touch ${BASE}/newCA/index.txt mkdir -p ${BASE}/cert mkdir -p ${BASE}/server mkdir -p ${TCONF} hostname=***Set this to your full domain name mail.domain.com*** if [ "x$1" != "x" ]; then hostname=$1 shift; fi createConf() { ALTNAMES="" for alt in $*; do if [ "x$ALTNAMES" = "x" ]; then ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}" else ALTNAMES="${ALTNAMES},DNS:${alt}" fi done cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \ -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf } createKeyStore() { echo "** Creating keystore" echo rm -f ${TCONF}/keystore keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \ -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \ -storetype JKS -storepass zimbra -keypass zimbra } createCertReq() { echo "** Creating server cert request" echo openssl req -new -nodes -out ${BASE}/server/server.csr \ -keyout ${BASE}/server/server.key -newkey rsa:1024 \ -config ${BASE}/zmssl.cnf -batch keytool -certreq -keyalg RSA -alias tomcat -file \ ${BASE}/server/tomcat.csr -keystore \ ${TCONF}/keystore -storepass zimbra cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$ cat /tmp/tomcat.csr.$$ | sed -e \ 's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \ > ${BASE}/server/tomcat.csr } signCertReq() { echo "** Signing cert request" echo openssl ca -out ${BASE}/server/server.crt -notext \ -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \ -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch cp ${BASE}/server/server.crt ${CONF}/slapd.crt cp ${BASE}/server/server.key ${CONF}/slapd.key cp ${BASE}/server/server.crt ${CONF}/perdition.pem cp ${BASE}/server/server.key ${CONF}/perdition.key mkdir -p ${CONF}/ca cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem } createConf $@ createKeyStore createCertReq signCertReq chmod -R 700 ${B}
4. Run this newly created script
Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.
5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem
6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt
This will convert the certificate into binary DER format which keytool likes.
You will also need to download the root ca from Geotrust this can be found at
www.geotrust.com/resources/root_certificates/index.asp - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format
7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt
8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)
9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra
11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)
12. If all went as planned you should now be able to access https://your.mailsite.com
13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.
14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.
- su zimbra - /opt/zimbra/bin/zmcreateca - /opt/zimbra/bin/zmcreatecert - /opt/zimbra/bin/zmcertinstall
15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)
/opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
- Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.