Installing a RapidSSL Commercial Certificate: Difference between revisions

No edit summary
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Archive}}{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}}=== Istalling a RapidSSL Commercial SSL Certificate ===
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Installing a RapidSSL Commercial Certificate=
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}


Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool. 
==Purpose==
Step by Step Wiki/KB article to install a RapidSSL Commercial Certificate


1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt
==Resolution==
When you buy a GeoTrust (RapidSSL)SSL certificate, Geotrust will send to you some RapidSSL intermediate CA certificate (usually called IntermediateCA.cer), in case that you miss some of them, here are the links:
* GeoTrust Intermediate Root Certificates for RapidSSL - [https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548 https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548] Please note that depending of your RSA you need to select between the different options: SHA-1 SSL, SHA-2 (under SHA-1 Root) and SHA-2 (under SHA-2 Root)
* GeoTrust Root Certificates - [https://www.geotrust.com/resources/root-certificates/ https://www.geotrust.com/resources/root-certificates/]


2. Copy private key including the -----BEGIN to END----- to  /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).
'''We strongly recommend to use the Intermediate Root Certificates provided from your vendor, and add just the '''Root 2'''  Geotrust Global CA at the end.'''
===Example with RSA SHA-2 (under SHA-1 Root) ===
You need to download this two files , in this order:
* '''RapidSSL Intermediate CA Certificates''' - [https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457 https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457]
* '''Root 2''' - GeoTrust Global CA (.pem format) - [https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem]


'''If you have a certificate generated before december 9th 2010:'''<br>
===Preparing the commercial_ca.crt===
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt
Certificates were assembled as follows:  
cat [RapidSSL intermediate CA] [GeoTrust Global CA] > commercial_ca.crt  


'''If you have a certificate generated after december 9th 2010:'''<br>
'''Note''' All the next commands should be run as zimbra user starting ZCS 8.7 and above, and as a root user in ZCS 8.6 and below.
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).<br>
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt


'''If you have a SHA2-256 certificate'''<br>
You will be able to successfully verify the certificate using the following:
3c. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and copy Intermediate CA Bundle from this page https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 to a file RapidSSL_CA_bundle.pem <br>
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key mail-cert ./commercial_ca.crt
3d. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt


4. Deploy the commercial certificate with zmcertmgr as the '''root''' user.
Where 'mail-cert' is the certificate that was issued to the server based on the CSR, and "commercial_ca.crt" is the bundle assembled from the RapidSSL intermediate CA certificate and the link above.
  # cd /opt/zimbra/bin
  # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt


Note: The solution above works for Zimbra 5/6
===Deploy the new SSL RapidSSL certificate===
Then deploy the certificate as follows:  
/opt/zimbra/bin/zmcertmgr deploycrt comm  mail-cert ./commercial_ca.crt


==== Troubleshooting ====
Then you need to restart the services
zmcontrol restart


After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):
===Common error===
If you see the next error ''error 20 at 0 depth lookup:unable to get local issuer certificate'' like here:
** Verifying 'ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'ssl_certificate.cer' against 'commercial_ca2.crt'
ERROR: Unable to validate certificate chain: ssl_certificate.cer: CN = your.domain.com
error 20 at 0 depth lookup:unable to get local issuer certificate


''ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)''
It means you don't have the proper IntermediateCA and Root file, please refer to the first section of this Wiki, or [https://www.geotrust.com/support/ '''contact GeoTrust'''] in order to them to provide the proper and updated IntermediateCA to you, usually they send a '''IntermediateCA.cer''' file.


The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:
==Additional Content==
* No related content


  # /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0|11/19/2009}}
 
{{NeedSME|Jorge|SME2|Copyeditor}}
{{Article Footer|unknown|11/19/2009}}


[[Category:Certificates]]
[[Category:Certificates]]
[[Category:ZCS 6.0]]
[[Category:ZCS 5.0]]

Latest revision as of 17:24, 18 January 2018

  1. Zimbra Tech Center
  2. Certified
  3. Installing a RapidSSL Commercial Certificate

Installing a RapidSSL Commercial Certificate

   KB 3105        Last updated on 2018-01-18  




0.00
(0 votes)

Purpose

Step by Step Wiki/KB article to install a RapidSSL Commercial Certificate

Resolution

When you buy a GeoTrust (RapidSSL)SSL certificate, Geotrust will send to you some RapidSSL intermediate CA certificate (usually called IntermediateCA.cer), in case that you miss some of them, here are the links:

We strongly recommend to use the Intermediate Root Certificates provided from your vendor, and add just the Root 2 Geotrust Global CA at the end.

Example with RSA SHA-2 (under SHA-1 Root)

You need to download this two files , in this order:

Preparing the commercial_ca.crt

Certificates were assembled as follows: 

cat [RapidSSL intermediate CA] [GeoTrust Global CA] > commercial_ca.crt

Note All the next commands should be run as zimbra user starting ZCS 8.7 and above, and as a root user in ZCS 8.6 and below.

You will be able to successfully verify the certificate using the following: 

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key mail-cert ./commercial_ca.crt

Where 'mail-cert' is the certificate that was issued to the server based on the CSR, and "commercial_ca.crt" is the bundle assembled from the RapidSSL intermediate CA certificate and the link above.

Deploy the new SSL RapidSSL certificate

Then deploy the certificate as follows: 

/opt/zimbra/bin/zmcertmgr deploycrt comm  mail-cert ./commercial_ca.crt

Then you need to restart the services 

zmcontrol restart

Common error

If you see the next error error 20 at 0 depth lookup:unable to get local issuer certificate like here: 

** Verifying 'ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'ssl_certificate.cer' against 'commercial_ca2.crt'
ERROR: Unable to validate certificate chain: ssl_certificate.cer: CN = your.domain.com
error 20 at 0 depth lookup:unable to get local issuer certificate

It means you don't have the proper IntermediateCA and Root file, please refer to the first section of this Wiki, or contact GeoTrust in order to them to provide the proper and updated IntermediateCA to you, usually they send a IntermediateCA.cer file.

Additional Content

  • No related content
Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 11/19/2009
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate Date Modified: 2018-01-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz
Retrieved from "http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate&oldid=65004"
Jump to: navigation, search