Installing a RapidSSL Commercial Certificate: Difference between revisions
No edit summary |
(link to SHA2-256 RapidSSL Intermediate CA Bundle) |
||
| Line 13: | Line 13: | ||
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).<br> | 3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).<br> | ||
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt | 3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt | ||
'''If you have a SHA2-256 certificate'''<br> | |||
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem <br> | |||
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt | |||
4. Deploy the commercial certificate with zmcertmgr as the '''root''' user. | 4. Deploy the commercial certificate with zmcertmgr as the '''root''' user. | ||
Revision as of 21:22, 30 October 2014
 Article Information |
|---|
| This article applies to the following ZCS versions. |
Istalling a RapidSSL Commercial SSL Certificate
Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool.
1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt
2. Copy private key including the -----BEGIN to END----- to /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).
If you have a certificate generated before december 9th 2010:
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt
If you have a certificate generated after december 9th 2010:
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt
If you have a SHA2-256 certificate
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt
4. Deploy the commercial certificate with zmcertmgr as the root user.
# cd /opt/zimbra/bin # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt
Note: The solution above works for Zimbra 5/6
Troubleshooting
After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:
# /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem
