Difference between revisions of "Installing a GeoTrust Commercial Certificate"

(Adding article footer and category)
m (Installing a GeoTrust Commercial Certificate on ZCS 5.0.x)
Line 197: Line 197:
  
 
         /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
 
         /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
 +
 +
QUESTION:  When performing this command it stops until the user presses CTRL-D, and then it finishes.  It seems to be expecting one more parameter (ca_chain_file).  I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D.  Put different instructions here?
  
 
'''7. restart the webserver
 
'''7. restart the webserver
Line 202: Line 204:
 
         su - zimbra
 
         su - zimbra
 
         zmmailboxdctl restart
 
         zmmailboxdctl restart
 +
 +
'''8. restart the proxy (for IMAP/POP)
 +
 +
        su - zimbra
 +
        zmproxyctl restart
  
 
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
 
*It's also very handy to have a copy of the comments for zmcertmgr around in a side window.

Revision as of 15:50, 9 March 2009


Installing a GeoTrust Commercial Certificate on ZCS 4.5.x

These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.

1. ***Backup Your Keystore***

    sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak

2. su zimbra

3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)

#!/bin/bash
source /opt/zimbra/bin/zmshutil || exit 1
zmsetvars

CONF=/opt/zimbra/conf
TCONF=/opt/zimbra/tomcat/conf
B=/opt/zimbra/ssl
BASE=${B}/ssl

JAVA_HOME=${zimbra_java_home}
if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then
        CACERTS=${JAVA_HOME}/lib/security/cacerts
else
        CACERTS=${JAVA_HOME}/jre/lib/security/cacerts
fi


TOMCAT=/opt/zimbra/tomcat/conf

rm -rf ${BASE}/newCA
mkdir -p ${BASE}/ca
mkdir -p ${BASE}/newCA/newcerts
touch ${BASE}/newCA/index.txt
mkdir -p ${BASE}/cert
mkdir -p ${BASE}/server

mkdir -p ${TCONF}

hostname=***Set this to your full domain name mail.domain.com***

if [ "x$1" != "x" ]; then
        hostname=$1
        shift;
fi

createConf() {
        ALTNAMES=""
        for alt in $*; do
                if [ "x$ALTNAMES" = "x" ]; then
                        ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"
                else
                        ALTNAMES="${ALTNAMES},DNS:${alt}"
                fi
        done
        cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \
                -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf
}


createKeyStore() {

        echo "** Creating keystore"
        echo

        rm -f ${TCONF}/keystore

        keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \
                -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \
                -storetype JKS -storepass zimbra -keypass zimbra

}

createCertReq() {

        echo "** Creating server cert request"
        echo

        openssl req -new -nodes -out ${BASE}/server/server.csr \
                -keyout ${BASE}/server/server.key -newkey rsa:1024 \
                -config ${BASE}/zmssl.cnf -batch

        keytool -certreq -keyalg RSA -alias tomcat -file \
                ${BASE}/server/tomcat.csr -keystore \
                ${TCONF}/keystore -storepass zimbra

        cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$
        cat /tmp/tomcat.csr.$$ | sed -e \
                's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \
                > ${BASE}/server/tomcat.csr

}

signCertReq() { 
        echo "** Signing cert request"
        echo

        openssl ca -out ${BASE}/server/server.crt -notext \
                -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \
                -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch

        cp ${BASE}/server/server.crt ${CONF}/slapd.crt
        cp ${BASE}/server/server.key ${CONF}/slapd.key
        cp ${BASE}/server/server.crt ${CONF}/perdition.pem
        cp ${BASE}/server/server.key ${CONF}/perdition.key
        mkdir -p ${CONF}/ca
        cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key
        cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem
}

createConf $@

createKeyStore

createCertReq

signCertReq

chmod -R 700 ${B}

4. Run this newly created script

Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.

5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem

6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt

This will convert the certificate into binary DER format which keytool likes.

You will also need to download the root ca from Geotrust this can be found at

    www.geotrust.com/resources/root_certificates/index.asp
         - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format
         - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format

7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt

8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)

9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra

11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)

12. If all went as planned you should now be able to access https://your.mailsite.com

13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.

14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.

         - su zimbra
         - /opt/zimbra/bin/zmcreateca
         - /opt/zimbra/bin/zmcreatecert
         - /opt/zimbra/bin/zmcertinstall

15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)

      /opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
  • Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.

Installing a GeoTrust Commercial Certificate on ZCS 5.0.x

  • As Root:

1). move all the files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm -rf *

2. generate a new csr , please edit this line for your company details

       /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"

3.) get it signed

       Place SSL order and paste in the contents of commercial.csr
       Put the certificate into commercial.crt using cat or vi

4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )

       wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt
       

5. verify that the cert and key match

       /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

6. deploy the cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt

QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?

7. restart the webserver

       su - zimbra
       zmmailboxdctl restart

8. restart the proxy (for IMAP/POP)

       su - zimbra
       zmproxyctl restart
  • It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
Verified Against: ZCS 4.5.x & ZCS 5.0.x Date Created: 9/19/2008
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_GeoTrust_Commercial_Certificate Date Modified: 2009-03-09



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search