Installing a RapidSSL Commercial Certificate
Installing a RapidSSL Commercial Certificate
Purpose
Step by Step Wiki/KB article to install a RapidSSL Commercial Certificate
Resolution
When you buy a GeoTrust (RapidSSL)SSL certificate, Geotrust will send to you some RapidSSL intermediate CA certificate (usually called IntermediateCA.cer), in case that you miss some of them, here are the links:
- GeoTrust Intermediate Root Certificates for RapidSSL - https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548 Please note that depending of your RSA you need to select between the different options: SHA-1 SSL, SHA-2 (under SHA-1 Root) and SHA-2 (under SHA-2 Root)
- GeoTrust Root Certificates - https://www.geotrust.com/resources/root-certificates/
We strongly recommend to use the Intermediate Root Certificates provided from your vendor, and add just the Root 2 Geotrust Global CA at the end.
Example with RSA SHA-2 (under SHA-1 Root)
You need to download this two files , in this order:
- RapidSSL Intermediate CA Certificates - https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457
- Root 2 - GeoTrust Global CA (.pem format) - https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
Preparing the commercial_ca.crt
Certificates were assembled as follows:
cat [RapidSSL intermediate CA] [GeoTrust Global CA] > commercial_ca.crt
Note All the next commands should be run as zimbra user starting ZCS 8.7 and above, and as a root user in ZCS 8.6 and below.
You will be able to successfully verify the certificate using the following:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key mail-cert ./commercial_ca.crt
Where 'mail-cert' is the certificate that was issued to the server based on the CSR, and "commercial_ca.crt" is the bundle assembled from the RapidSSL intermediate CA certificate and the link above.
Deploy the new SSL RapidSSL certificate
Then deploy the certificate as follows:
/opt/zimbra/bin/zmcertmgr deploycrt comm mail-cert ./commercial_ca.crt
Then you need to restart the services
zmcontrol restart
Common error
If you see the next error error 20 at 0 depth lookup:unable to get local issuer certificate like here:
** Verifying 'ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate 'ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying 'ssl_certificate.cer' against 'commercial_ca2.crt' ERROR: Unable to validate certificate chain: ssl_certificate.cer: CN = your.domain.com error 20 at 0 depth lookup:unable to get local issuer certificate
It means you don't have the proper IntermediateCA and Root file, please refer to the first section of this Wiki, or contact GeoTrust in order to them to provide the proper and updated IntermediateCA to you, usually they send a IntermediateCA.cer file.
Additional Content
- No related content