Installing a RapidSSL Commercial Certificate
Article Information |
---|
This article applies to the following ZCS versions. |
Istalling a RapidSSL Commercial SSL Certificate
Use the article as a guide to installing a GeoTrust / RapidSSL issued SSL certificate with the zmcertmgr tool.
1. You will receive an e-mail from RapidSSL with your commercial certificate. Locate the [Your RapidSSL certificate:] section within the e-mail and copy the Certificate including the -----BEGIN to END----- to a file server.crt and place this into /tmp/server.crt
2. Copy private key including the -----BEGIN to END----- to /opt/zimbra/ssl/zimbra/commercial/commercial.key (if the file is not already there).
If you have a certificate generated before december 9th 2010:
3. Download the appropriate bundle file from http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt
If you have a certificate generated after december 9th 2010:
3a. Download the Geotrust root certificate (wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer) and ca_bundle (wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem).
3b. Cat the files together: cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt
4. Deploy the commercial certificate with zmcertmgr as the root user.
# cd /opt/zimbra/bin # ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt
Note: The solution above works for Zimbra 5/6
Troubleshooting
After successfully importing the new certificate and CA bundle, I got the following error when restarting ZCS (6.0.10):
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
The solution is to add RapidSSL_CA_bundle.pem (the intermediate cert) to the Java keystore:
# /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password> -file /tmp/RapidSSL_CA_bundle.pem