King0770-Notes-import-SSL

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.

To import, run the following as the Zimbra user

Run the following openssl command to connect to the non-Zimbra server

echo | openssl s_client -connect acitive-directory.example.com:636 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

**OR**

echo | openssl s_client -connect acitive-directory.example.com:3269 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

If you didn't run openssl as the zimbra user, make sure the file is owned by Zimbra.

chown zimbra:zimbra /tmp/adCert.crt

Make sure the SSL certificate is good.

openssl x509 -in /tmp/adCert.crt -noout -text

Import into Zimbra

zmcertmgr addcacert /tmp/adCert.crt  

zmcontrol restart    <<== restart ZCS to pick up the changes

When you use addcacert, the zmcertmgr tool will use alias name using part of the *.crt file

zmcert addcacert /tmp/corp.crt

** Importing cert '/tmp/corp.crt' as 'zcs-user-corp' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

OR

zmcertmgr addcacert /tmp/abccompany.crt 

** Importing cert '/tmp/abccompany.crt' as 'zcs-user-abccompany' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

List the imported cert

 keytool -list -alias zcs-user-abccompany -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

List all trusted SSL certificates

 keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes

King0770-Notes-import-SSL

Products

Support

Learn

Community