
Revision as of 16:47, 24 March 2021 by King0770 (talk | contribs) (Created page with "On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.<br> To import, run the following as the Zim...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.

To import, run the following as the Zimbra user

Run the following openssl command to connect to the non-Zimbra server

echo | openssl s_client -connect -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt


echo | openssl s_client -connect -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

If you didn't run openssl as the zimbra user, make sure the file is owned by Zimbra.

chown zimbra:zimbra /tmp/adCert.crt

Make sure the SSL certificate is good.

openssl x509 -in /tmp/adCert.crt -noout -text

Import into Zimbra

zmcertmgr addcacert /tmp/adCert.crt  

zmcontrol restart    <<== restart ZCS to pick up the changes

When you use addcacert, the zmcertmgr tool will use alias name using part of the *.crt file

zmcert addcacert /tmp/corp.crt

** Importing cert '/tmp/corp.crt' as 'zcs-user-corp' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'


zmcertmgr addcacert /tmp/abccompany.crt 

** Importing cert '/tmp/abccompany.crt' as 'zcs-user-abccompany' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

List the imported cert

 keytool -list -alias zcs-user-abccompany -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

List all trusted SSL certificates

 keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

More articles written by me,

Jump to: navigation, search