King0770-Notes-import-SSL: Difference between revisions

(Created page with "On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.<br> To import, run the following as the Zim...")
 
No edit summary
 
Line 57: Line 57:
[[Category:Community Sandbox]]
[[Category:Community Sandbox]]
[[Category:Command Line Interface]]
[[Category:Command Line Interface]]
[[Category:openssl]]
[[Category:King0770-Notes]]
[[Category:King0770-Notes]]

Latest revision as of 16:47, 24 March 2021

On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.

To import, run the following as the Zimbra user

Run the following openssl command to connect to the non-Zimbra server

echo | openssl s_client -connect acitive-directory.example.com:636 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

**OR**

echo | openssl s_client -connect acitive-directory.example.com:3269 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

If you didn't run openssl as the zimbra user, make sure the file is owned by Zimbra.

chown zimbra:zimbra /tmp/adCert.crt

Make sure the SSL certificate is good.

openssl x509 -in /tmp/adCert.crt -noout -text

Import into Zimbra

zmcertmgr addcacert /tmp/adCert.crt  

zmcontrol restart    <<== restart ZCS to pick up the changes

When you use addcacert, the zmcertmgr tool will use alias name using part of the *.crt file

zmcert addcacert /tmp/corp.crt

** Importing cert '/tmp/corp.crt' as 'zcs-user-corp' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

OR

zmcertmgr addcacert /tmp/abccompany.crt 

** Importing cert '/tmp/abccompany.crt' as 'zcs-user-abccompany' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

List the imported cert

 keytool -list -alias zcs-user-abccompany -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

List all trusted SSL certificates

 keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes

Jump to: navigation, search