Installing a GeoTrust Commercial Certificate
Article Information |
---|
This article applies to the following ZCS versions. |
Installing a GeoTrust Commercial Certificate on ZCS 5.0.x
- As Root:
1). move all the files in /opt/zimbra/ssl/zimbra/commercial
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.tar.gz * rm -rf *
2. generate a new csr , please edit this line for your company details
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ChangeMe, Inc./CN=mail.CHANGEME.zxy"
3.) get it signed
Place SSL order and paste in the contents of commercial.csr Put the certificate into commercial.crt using cat or vi
4. put your CA in place ( For GeoTrust QuickSSL, QuickSSL Premium, True BusinessID and Wildcard http://www.geocerts.com/support/roots.php )
wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt Please note that as of July 22, 2010, GeoTrust uses an intermediate CA. GeoTrust KB article You will need to download the two files below and splice them together: wget https://knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/QuickSSL_CA_Bundle.pem wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer cat QuickSSL_CA_Bundle.pem GeoTrust_Global_CA.cer >> commercial_ca.crt
5. verify that the cert and key match
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
should return
** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. Valid Certificate: commercial.crt: OK
6. deploy the cert
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
QUESTION: When performing this command it stops until the user presses CTRL-D, and then it finishes. It seems to be expecting one more parameter (ca_chain_file). I don't think all implementations would require this parameter (we don't) so not sure why the zmcertmgr is waiting for that final parameter or the CTRL-D. Put different instructions here?
7. restart the webserver
su - zimbra zmmailboxdctl restart
8. restart the proxy (for IMAP/POP)
su - zimbra zmproxyctl restart
- It's also very handy to have a copy of the comments for zmcertmgr around in a side window.
Upgrading a GeoTrust Commercial Certificate on ZCS 5.0.x
- Commands are run as root or sudo user:
1. Create a backup of files in /opt/zimbra/ssl/zimbra/commercial
cd /opt/zimbra/ssl/zimbra/commercial/ tar -czvf /tmp/ssl.commercial.backup.tar.gz *
2. Create your new set of files (to test if they are valid), note I had to download a new CA file as listed below
mkdir /tmp/renewalcert cd /tmp/renewalcert cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/renewalcert wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer mv Equifax_Secure_Certificate_Authority.cer commercial_ca.crt vi /tmp/renewalcert/tmp.crt [paste your new cert here] openssl x509 -in tmp.crt -out new.crt -text cat new.crt commercial_ca.crt > commercial.crt
3. Verify that cert, key and CA file match
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/renewalcert/commercial.key /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return
** Verifying /tmp/renewalcert/commercial.crt against /tmp/renewalcert/commercial.key Certificate (/tmp/renewalcert/commercial.crt) and private key (/tmp/renewalcert/commercial.key) match. Valid Certificate: /tmp/renewalcert/commercial.crt: OK
4. Deploy the renewal cert
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/renewalcert/commercial.crt /tmp/renewalcert/commercial_ca.crt
should return ** Verifying /tmp/renewalcert/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/renewalcert/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/renewalcert/commercial.crt: OK ** Copying /tmp/renewalcert/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /tmp/renewalcert/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done.
5. Restart zimbra
su - zimbra zmcontrol stop; zmcontrol start;
Installing a GeoTrust Commercial Certificate on ZCS 4.5.x
These instructions were tested on Zimbra 4.5 using some of the included scripts for certificate handling.
1. ***Backup Your Keystore***
sudo zimbra cp /opt/zimbra/tomcat/conf/keystore /opt/zimbra/tomcat/conf/keystore.bak
2. su zimbra
3. Create a new file or a copy of bin/zmcreatecert to make this script (personalize the bits between *** to match your settings)
#!/bin/bash source /opt/zimbra/bin/zmshutil || exit 1 zmsetvars CONF=/opt/zimbra/conf TCONF=/opt/zimbra/tomcat/conf B=/opt/zimbra/ssl BASE=${B}/ssl JAVA_HOME=${zimbra_java_home} if [ -f "${JAVA_HOME}/lib/security/cacerts" ]; then CACERTS=${JAVA_HOME}/lib/security/cacerts else CACERTS=${JAVA_HOME}/jre/lib/security/cacerts fi TOMCAT=/opt/zimbra/tomcat/conf rm -rf ${BASE}/newCA mkdir -p ${BASE}/ca mkdir -p ${BASE}/newCA/newcerts touch ${BASE}/newCA/index.txt mkdir -p ${BASE}/cert mkdir -p ${BASE}/server mkdir -p ${TCONF} hostname=***Set this to your full domain name mail.domain.com*** if [ "x$1" != "x" ]; then hostname=$1 shift; fi createConf() { ALTNAMES="" for alt in $*; do if [ "x$ALTNAMES" = "x" ]; then ALTNAMES="subjectAltName = DNS:${hostname},DNS:${alt}" else ALTNAMES="${ALTNAMES},DNS:${alt}" fi done cat ${CONF}/zmssl.cnf.in | sed -e "s/@@HOSTNAME@@/$hostname/" \ -e "s/@@ALTNAMES@@/$ALTNAMES/" > ${BASE}/zmssl.cnf } createKeyStore() { echo "** Creating keystore" echo rm -f ${TCONF}/keystore keytool -validity 730 -genkey -dname "CN=$hostname, OU=**Set to Your Org Unit***, O=***Set to Your Company***, L=**Set to Your City***, S=***Set to Your State***, C=US" \ -alias tomcat -keyalg RSA -keysize 1024 -keystore ${TCONF}/keystore \ -storetype JKS -storepass zimbra -keypass zimbra } createCertReq() { echo "** Creating server cert request" echo openssl req -new -nodes -out ${BASE}/server/server.csr \ -keyout ${BASE}/server/server.key -newkey rsa:1024 \ -config ${BASE}/zmssl.cnf -batch keytool -certreq -keyalg RSA -alias tomcat -file \ ${BASE}/server/tomcat.csr -keystore \ ${TCONF}/keystore -storepass zimbra cp ${BASE}/server/tomcat.csr /tmp/tomcat.csr.$$ cat /tmp/tomcat.csr.$$ | sed -e \ 's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/' \ > ${BASE}/server/tomcat.csr } signCertReq() { echo "** Signing cert request" echo openssl ca -out ${BASE}/server/server.crt -notext \ -config ${BASE}/zmssl.cnf -in ${BASE}/server/server.csr \ -keyfile ${BASE}/ca/ca.key -cert ${BASE}/ca/ca.pem -batch cp ${BASE}/server/server.crt ${CONF}/slapd.crt cp ${BASE}/server/server.key ${CONF}/slapd.key cp ${BASE}/server/server.crt ${CONF}/perdition.pem cp ${BASE}/server/server.key ${CONF}/perdition.key mkdir -p ${CONF}/ca cp ${BASE}/ca/ca.key ${CONF}/ca/ca.key cp ${BASE}/ca/ca.pem ${CONF}/ca/ca.pem } createConf $@ createKeyStore createCertReq signCertReq chmod -R 700 ${B}
4. Run this newly created script
Essentially this script will generate and sign a new certificate for slapd and perdition and also generate a signing request for tomcat. The signing request for tomcat will be in /opt/zimbra/ssl/ssl/server/tomcat.csr Take the contents of the csr and submit them to your certificate authority (Geotrust in this case). You will then receive by email a certificate.
5. Take the certificate from the authority and paste it into /opt/zimbra/ssl/ssl/server/tomcat.pem
6. Run the command openssl x509 -in tomcat.pem -inform PEM -outform DER -out tomcat.crt
This will convert the certificate into binary DER format which keytool likes.
You will also need to download the root ca from Geotrust this can be found at
www.geotrust.com/resources/root_certificates/index.asp - for a TrueBusinessID certificate download the Equifax Secure Certificate Authority file that is in DER encoded X.509 format - for a QuickSSL certificate download the Equifax Secure Global eBusiness CA-1 file that is in the DER encoded X.509 format
7. Put whichever file you needed in /opt/zimbra/ssl/ssl/geotrust.crt
8. Run the command as root keytool -import -alias geotrustca -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/geotrust.crt -storepass changeit (If this says the chain already exists, don't overwrite the existing one, and skip to the next step)
9. Run the command as root keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
10. Run the command as zimbra keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt -storepass zimbra
11. Run the command as zimbra /opt/zibmra/bin/tomcat restart (or restart zimbra with zmcontrol stop && zmcontrol start)
12. If all went as planned you should now be able to access https://your.mailsite.com
13. If you recieve page cannot be displayed copy the /opt/zimbra/tomcat/conf/keystore.bak to /opt/zimbra/tomcat/conf/keystore and restart tomcat again.
14. If you did break tomcat and did not follow the backup keystore in step 1. It is possible to get up and running again by doing the following.
- su zimbra - /opt/zimbra/bin/zmcreateca - /opt/zimbra/bin/zmcreatecert - /opt/zimbra/bin/zmcertinstall
15. Test bin/zmprov to make sure it works without giving a untrusted certificate error. If it doesn't, as root run the following (when prompted for a password use changeit)
/opt/zimbra/java/bin/keytool -import -alias tomcat -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/server/tomcat.crt
- Note: All the the scripts above were taken directly from the bin/zmcreatecert and bin/zmcertinstall scripts will a little modification.