Installing a GeoTrust Commercial Certificate

Revision as of 15:50, 9 March 2009 by Chewie71 (talk | contribs) (Installing a GeoTrust Commercial Certificate on ZCS 5.0.x)

Installing a GeoTrust Commercial Certificate on ZCS 4.5.x

These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.

1. ***Backup Your Keystore***

    sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak

2. su zimbra

3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)

source /opt/zimbra/bin/zmshutil || exit 1


if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then


rm -rf ${BASE}/newCA
mkdir -p ${BASE}/ca
mkdir -p ${BASE}/newCA/newcerts
touch ${BASE}/newCA/index.txt
mkdir -p ${BASE}/cert
mkdir -p ${BASE}/server

mkdir -p ${TCONF}

hostname=***Set this to your full domain name***

if [ "x$1" != "x" ]; then

createConf() {
        for alt in $*; do
                if [ "x$ALTNAMES" = "x" ]; then
                        ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}"
        cat ${CONF}/ | sed -e "s/@@HOSTNAME@@/$hostname/" \
                -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf

createKeyStore() {

        echo "** Creating keystore"

        rm -f ${TCONF}/keystore

        keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \
                -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \
                -storetype JKS -storepass zimbra -keypass zimbra


createCertReq() {

        echo "** Creating server cert request"

        openssl req -new -nodes -out ${BASE}/server/server.csr \
                -keyout ${BASE}/server/server.key -newkey rsa:1024 \
                -config ${BASE}/zmssl.cnf -batch

        keytool -certreq -keyalg RSA -alias tomcat -file \
                ${BASE}/server/tomcat.csr -keystore \
                ${TCONF}/keystore -storepass zimbra

        cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$
        cat /tmp/tomcat.csr.$$ | sed -e \
                > ${BASE}/server/tomcat.csr


signCertReq() { 
        echo "** Signing cert request"

        openssl ca -out ${BASE}/server/server.crt -notext \
                -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \
                -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch

        cp ${BASE}/server/server.crt ${CONF}/slapd.crt
        cp ${BASE}/server/server.key ${CONF}/slapd.key
        cp ${BASE}/server/server.crt ${CONF}/perdition.pem
        cp ${BASE}/server/server.key ${CONF}/perdition.key
        mkdir -p ${CONF}/ca
        cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key
        cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem

createConf $@




chmod -R 700 ${B}

4. Run this newly created script

Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.

5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem

6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt

This will convert the certificate into binary DER format which keytool likes.

You will also need to download the root ca from Geotrust this can be found at
         - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format
         - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format

7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt

8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)

9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra

11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)

12. If all went as planned you should now be able to access

13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.

14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.

         - su zimbra
         - /opt/zimbra/bin/zmcreateca
         - /opt/zimbra/bin/zmcreatecert
         - /opt/zimbra/bin/zmcertinstall

15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)

      /opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
  • Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.

Installing a GeoTrust Commercial Certificate on ZCS 5.0.x

  • As Root:

1). move all the files in /opt/zimbra/ssl/zimbra/commercial

       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm -rf *

2. generate a new csr , please edit this line for your company details

       /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"

3.) get it signed

       Place SSL order and paste in the contents of commercial.csr
       Put the certificate into commercial.crt using cat or vi

4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard )

       mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt

5. verify that the cert and key match

       /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

6. deploy the cert

       /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt

QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?

7. restart the webserver

       su - zimbra
       zmmailboxdctl restart

8. restart the proxy (for IMAP/POP)

       su - zimbra
       zmproxyctl restart
  • It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
Verified Against: ZCS 4.5.x & ZCS 5.0.x Date Created: 9/19/2008
Article ID: Date Modified: 2009-03-09

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search