Installing a GoDaddy Commercial Certificate: Difference between revisions

m (Updated to reflect my experience and this thread http://www.zimbra.com/forums/installation/17927-trying-install-quickssl-certificate-without-any-luck.html)
No edit summary
Line 22: Line 22:


Once you have uploaded these files, restart Zimbra services.
Once you have uploaded these files, restart Zimbra services.
==Command line Instructions==
If you are failing to install the certificate from admin console, use these steps to install it from command line.
1. Copy the server certificate to /opt/zimbra/ssl/zimbra/commercial  directory and rename it to commercial.crt
2. Create a file commercial_ca.crt in /opt/zimbra/ssl/zimbra/commercial directory and concatenate above mentioned three chain certificate in it.
  cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /opt/zimbra/ssl/zimbra/commercial_ca.crt
3. Make sure /opt/zimbra/ssl/zimbra/commercial.key file exists and has 740 permission.
4. Run this command as root to verify the certificate:
  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
5. If output of above command looks good, then you can proceed to deploy the certificate. Run as root:
  /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
Once the cert is installed, restart zmcontrol.
zmcontrol stop; zmcontrol start


=4.5.x=
=4.5.x=

Revision as of 05:58, 10 January 2009

This article covers importing and installing a GoDaddy commercial certificate on a ZCS 5.0.x server and on a 4.5.x server.

5.0.x

Installation Prequisites

This article is written for installations that meet the following prerequisites.

  • This is a new certificate.
  • You generated the CSR via the Administration Console.
  • You sent the CSR to get it signed
  • Download the following files from https://certs.godaddy.com/Repository.go
    • gd-class2-root.crt
    • gd-bundle.crt
    • <server_name>.crt
  • The /opt/zimbra/ssl/zimbra/commercial has two files:
    • commercial.key
    • commercial.crt

If your certificate does not meet the above prerequisites, the following installation instructions may not work.

Installation

You can install the certificate by logging in to the Administration Console and uploading the following files.

  • RootCA - gd-class2-root.crt
  • Intermediate - gd-bundle.crt
  • Signed Certificate - <server_name>.crt

Once you have uploaded these files, restart Zimbra services.

Command line Instructions

If you are failing to install the certificate from admin console, use these steps to install it from command line.

1. Copy the server certificate to /opt/zimbra/ssl/zimbra/commercial directory and rename it to commercial.crt

2. Create a file commercial_ca.crt in /opt/zimbra/ssl/zimbra/commercial directory and concatenate above mentioned three chain certificate in it.

 cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /opt/zimbra/ssl/zimbra/commercial_ca.crt

3. Make sure /opt/zimbra/ssl/zimbra/commercial.key file exists and has 740 permission.

4. Run this command as root to verify the certificate:

 /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

5. If output of above command looks good, then you can proceed to deploy the certificate. Run as root:

 /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

Once the cert is installed, restart zmcontrol. zmcontrol stop; zmcontrol start

4.5.x

(You will be prompted for passwords. Use zimbra for all passwords)

1. Create keystore:

su - zimbra

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

2. Create CSR (you are creating the commercial.csr file):

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Note: when it asks you for your first and last name use the common name of your server. For example, if you will ultimately use zimbra.company.com as the URL then that is your common name.

3. Open the contents of the commercial.csr file and copy and paste into GoDaddy's CSR submission form.

4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.

5. Import intermediate and root certs from GoDaddy. The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go

To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt

Note: As of 4/2/2007 - Using RHEL 4 with all updates the Root cert was not needed.

Update: 4/2/2007 - Go to this page: https://certificates.godaddy.com/Repository.go Download the gd_cross_intermediate.crt. You should have received gd_intermediate.crt as part of the zip file from GoDaddy. You will need the cross and the intermediate certificates in order to create the "chain".

To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt

To import the cross cert: keytool -import -alias cross -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_cross_intermediate.crt

6. Import digital cert into keystore:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra

7. Copy the keystore to zimbra Tomcat keystore:

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

8. Tomcat restart

9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.

10. To use your certificate for other services, follow the instructions above under "You can use the same CRT for other services".


Verified Against: ZCS 5.0.x Date Created: 9/17/2008
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_GoDaddy_Commercial_Certificate Date Modified: 2009-01-10



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search