Difference between revisions of "Multi Domain SSL Certs - HOWTO"

(To Think About...)
Line 117: Line 117:
So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...
So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...
[[Category: Configuration]]
{{Article Footer|unknown|11/18/2011}}
[[Category: Virtual Hosting]]
[[Category: SSL/TLS]]

Revision as of 18:24, 20 November 2011

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0


Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates. So in this document you will learn, howto install this feature in a split-DNS architecture. Nevertheless be careful and test configs before going into production.


For implementing this feature in the correct way, it is very important to understand the logic of this new technic:

alt text


  • For each addondomain you will need a separate public IP !
  • For each addondomain you must have valid SSL-certs.

(A): Preparing Proxy

  • In base-installation-script of ZCS you have to markup installation of proxy-services
  • Then login as zimbra and activate proxy:
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
$ zmproxyctl restart
  • Set proxy-mode for base-domain on proxyserver :
$ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
  • Set proxy-mode on mailboxserver for intern communications to proxy-server (must be http !)
$ zmtlsctl http 
  • Test this:
$ zmprov gs `zmhostname` | grep -i mode
  • Restart proxy:
$ zmproxyctl restart

(B): Certinstallation

  • Certs have to be installed from root-console.

First check-for/create the following folder:

# mkdir /opt/zimbra/conf/domaincerts
# cd /opt/zimbra/conf/domaincerts

For each domain put your keys into this folder ...

  1. basedomain.com.key (your private-key)
  2. basedomain.com.crt (commercial.crt + intermediates + root_CA) [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
  3. addondomain1.com.key
  4. addondomain2.com.key
  5. ..

... and do the following commands:

  • Check the keys:
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
  • Deploy the certs:
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
  • Save the certs:
# /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key

(C): Virtual IP on proxy

  • Config virtual hostname and virtual IP for every addondomain.

Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!

$ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress
$ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress
$ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress

(D): DNS-Records - Internal Net

  • Config A-records in your local DNS-server
server.basedomain.com.    IN  A   (-> IP of your local ZCS should be already there)
server.addondomain1.com.  IN  A
server.addondomain2.com.  IN  A

(E): Alias IPs on mailboxserver

  • In ubuntu-systems you have to do:
# vi /etc/network/interfaces
  • Append the following configurations - for example:
auto eth0:1
iface eth0:1 inet static
name Ethernet alias1 LAN card

auto eth0:2
iface eth0:2 inet static
name Ethernet alias2 LAN card
  • Restart network:
# /etc/init.d/networking restart

(F): DNS-Records - External Internet

  • Config A-records in your public provider-DNS-server
server.basedomain.com.    IN  A  x.x.x.x   (-> IP of your ZCS)
server.addondomain1.com.  IN  A  y.y.y.y   (separate public IP !)
server.addondomain2.com.  IN  A  z.z.z.z

(G): Firewalling

At this point you will need a separated NAT/Forwarding:

  • server.basedomain.com (x.x.x.x) to
  • server.addondomain1.com(y.y.y.y) to
  • server.addondomain1.com(z.z.z.z) to

To Think About...

Implementing this new multi-SSL feature is a non-trivial walk. As you can see, with any new addon-domain to come, the system will get more and more complex in administration. So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...

Verified Against: unknown Date Created: 11/18/2011
Article ID: https://wiki.zimbra.com/index.php?title=Multi_Domain_SSL_Certs_-_HOWTO Date Modified: 2011-11-20

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search