Difference between revisions of "King0770-Notes-import-SSL"

(Created page with "On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.<br> To import, run the following as the Zim...")
(No difference)

Revision as of 16:47, 24 March 2021

On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.

To import, run the following as the Zimbra user

Run the following openssl command to connect to the non-Zimbra server

echo | openssl s_client -connect acitive-directory.example.com:636 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

**OR**

echo | openssl s_client -connect acitive-directory.example.com:3269 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt

If you didn't run openssl as the zimbra user, make sure the file is owned by Zimbra.

chown zimbra:zimbra /tmp/adCert.crt

Make sure the SSL certificate is good.

openssl x509 -in /tmp/adCert.crt -noout -text

Import into Zimbra

zmcertmgr addcacert /tmp/adCert.crt  

zmcontrol restart    <<== restart ZCS to pick up the changes

When you use addcacert, the zmcertmgr tool will use alias name using part of the *.crt file

zmcert addcacert /tmp/corp.crt

** Importing cert '/tmp/corp.crt' as 'zcs-user-corp' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

OR

zmcertmgr addcacert /tmp/abccompany.crt 

** Importing cert '/tmp/abccompany.crt' as 'zcs-user-abccompany' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

List the imported cert

 keytool -list -alias zcs-user-abccompany -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

List all trusted SSL certificates

 keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit

More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes

Jump to: navigation, search