Difference between revisions of "Preexisting Certifcate Installation for Zimbra 6.0"

m (Added full paths to match proper .key and .crt files.)
(Instructions were broken in several places. Wrong paths. Unecessary steps. Added carraige return workaround to jetty import bug.)
Line 14: Line 14:
 
  scp user@otherserver.domain.com:ca_bundle.crt .
 
  scp user@otherserver.domain.com:ca_bundle.crt .
  
Now you need to rename the files to what Zimbra expects:
+
Now, on your zimbra server, and rename the files to what Zimbra expects. We'll assume you placed the certificates in /root/certs:
  
  mv /root/certs/domain.com.crt /root/certs/commercial.crt
+
  cd /root/certs
  mv /root/certs/domain.com.key /root/certs/commercial.key
+
mv domain.com.crt commercial.crt
  mv /root/certs/ca_bundle.crt /root/certs/commercial_ca.crt
+
  mv domain.com.key commercial.key
 +
  mv ca_bundle.crt commercial_ca.crt
  
Next you put the key file in two places where Zimbra expects it:
+
Now copy the key file to the location that zimbra expects to find it:
  
  cp /root/certs/commercial.key /opt/zimbra/ssl/zimbra
+
  cp commercial.key /opt/zimbra/ssl/zimbra/commercial/
cp /root/certs/commercial.crt /opt/zimbra/ssl/zimbra
 
cp /root/certs/commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial
 
  
Then you use Zimbra's fancy certificate importer tools. First we check if we really have a matching pair of .key and .crt files:
+
Due to an bug in zimbra's certificate deployment code, you will need to open commercial.crt and commercial_ca.crt in a text editor, and add an extra return to the end of each certificate. Make sure you have a blank line after this at the very end of the file, after this line. In vim it should look like this when you are done:
  
  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial.crt /opt/zimbra/ssl/zimbra/commercial_ca.crt
+
  -----END CERTIFICATE-----
 +
 +
~
  
If you see something like
+
Then use Zimbra's certificate importer tools to install the certificate. First check if we really have a matching pair of .key and .crt files:
  
  ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
+
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
  Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
+
 
 +
If the certificates are valid, you will something like this:
 +
 
 +
  ** Verifying commercial.crt against commercial.key
 +
  Certificate (commercial.crt) and private key (commercial.key) match.
 
  Valid Certificate: commercial.crt: OK
 
  Valid Certificate: commercial.crt: OK
  
everything is O.K. Now we need to deploy the cert:
+
Now deploy the certificates:
  
  /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial.crt /opt/zimbra/ssl/zimbra/commercial_ca.crt
+
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
  
 
The response should be something like
 
The response should be something like
Line 70: Line 75:
 
  Do you still want to add it? [no]:  yes
 
  Do you still want to add it? [no]:  yes
 
  Certificate was added to keystore
 
  Certificate was added to keystore
 
  
 
Last but not least restart Zimbra:
 
Last but not least restart Zimbra:

Revision as of 16:55, 5 March 2012

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 6.0 Article ZCS 6.0

Zimbra makes it extremely easy to install either a self-signed certificate or a commercial certificate specific to the Zimbra server. If, on the other hand, you want to install a certificate you created somewhere else (such as a wildcard certificate for your domain) the procedure is a bit more involved.

First thing is to make sure that the file commercial_ca.crt contains all necessary CA Certs for a valid CA chain. With a COMODO Multi Domain Certificate you receive two CA certs: AddTrustExternalCARoot.crt and UTNAddTrustServerCA.crt This may apply to other commercial CAs too. Now we put the Certs in the appropriate file

cat AddTrustExternalCARoot.crt >> ca_bundle.crt
cat UTNAddTrustServerCA.crt >> ca_bundle.crt

Become root, make a directory to work in and bring the files over. There are lots of ways to do this; I used scp:

mkdir /root/certs
cd /root/certs
scp user@otherserver.domain.com:domain.com.crt .
scp user@otherserver.domain.com:domain.com.key .
scp user@otherserver.domain.com:ca_bundle.crt .

Now, on your zimbra server, and rename the files to what Zimbra expects. We'll assume you placed the certificates in /root/certs:

cd /root/certs
mv domain.com.crt commercial.crt
mv domain.com.key commercial.key
mv ca_bundle.crt commercial_ca.crt

Now copy the key file to the location that zimbra expects to find it:

cp commercial.key /opt/zimbra/ssl/zimbra/commercial/

Due to an bug in zimbra's certificate deployment code, you will need to open commercial.crt and commercial_ca.crt in a text editor, and add an extra return to the end of each certificate. Make sure you have a blank line after this at the very end of the file, after this line. In vim it should look like this when you are done:

-----END CERTIFICATE-----

~

Then use Zimbra's certificate importer tools to install the certificate. First check if we really have a matching pair of .key and .crt files:

/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

If the certificates are valid, you will something like this:

** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

Now deploy the certificates:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

The response should be something like

** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Finally we need the new cert to be deployed on jetty. Note that the last command spans two lines... either use the backslash as indicated, or paste both lines into one command, leaving the backslash out. Also, the password really is "changeit" ... don't be like me and screw around forever trying to figure out what to change it to.

If your certificate chain consists of one or more intermediary certificate authorities, you must perform the following with each intermediary CA certificate. Be sure to use a different alias for each CA cert in your chain.

/opt/zimbra/java/bin/keytool -import -alias root -keystore \
/opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

In most cases (if you redeploy a cert with the same .csr for a new time period) you will get:

Certificate already exists in keystore under alias <zcs-user-commercial_ca>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

Last but not least restart Zimbra:

/etc/init.d/zimbra restart

Now we're done. To check if everything is working like expected you can verify the new cert in the Zimbra Admin GUI.

Automated Shell Script

Below is a script I used to do this on ZCS 7.0.0 NE. My cert is stored on a wiki. This script will download it and install it to Zimbra.

#!/bin/bash
################################################################################
# install-ssl-certs.sh - Thu Feb 17 08:00:42 PST 2011 - dlbewley
#-------------------------------------------------------------------------------
# Download wildcard cert from Wiki and install them in Zimbra.
# 
# Also See:
# o http://wiki.zimbra.com/wiki/Preexisting_Certifcate_Installation_for_Zimbra_6.0
################################################################################

# wiki ssl cert page
BASE_URL='http://wiki/download/attachments/44290464'
CURL='curl --silent --fail --output'

if [ ! -d '/opt/zimbra/ssl/zimbra' ]; then
    echo "Please Run me on the Zimbra server."
    exit 1
fi

if [ "`whoami`" != "root" ]; then
    echo "Please run me as the user 'root'."
    exit 1
fi

scratch=`mktemp -d ssl.XXXXXX`
echo "Temp output going to $scratch/"

# get certs
echo "$0: Downloading cert."
$CURL $scratch/commercial_ca.crt $BASE_URL/gd_bundle.crt
if [ $? -ne 0 ]; then echo "404! Did a wiki path change?"; exit 1; fi
$CURL $scratch/commercial.key  $BASE_URL/wildcard.domain.key
if [ $? -ne 0 ]; then echo "404! Did a wiki path change?"; exit 1; fi
$CURL $scratch/commercial.crt $BASE_URL/wildcard.domain.com.crt
if [ $? -ne 0 ]; then echo "404! Did a wiki path change?"; exit 1; fi

# stage certs
cp -p $scratch/commercial.key /opt/zimbra/ssl/zimbra
cp -p $scratch/commercial_ca.crt /opt/zimbra/conf/ca/commercial_ca.pem
mv $scratch/commercial.key /opt/zimbra/ssl/zimbra/commercial

# install certs
echo "$0: Verifying cert."
/opt/zimbra/bin/zmcertmgr verifycrt comm \
        /opt/zimbra/ssl/zimbra/commercial.key $scratch/commercial.crt $scratch/commercial_ca.crt
if [ $? -ne 0 ]; then echo "Certificate and key do not match."; exit 1; fi

echo "$0: Deploying cert."
/opt/zimbra/bin/zmcertmgr deploycrt comm \
    $scratch/commercial.crt $scratch/commercial_ca.crt
if [ $? -ne 0 ]; then echo "Failed to deploy."; exit 1; fi

echo "$0: Adding cert to cacerts.."
/opt/zimbra/java/bin/keytool -import -alias root -keystore \
    /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit \
    -file /opt/zimbra/conf/ca/commercial_ca.pem
if [ $? -ne 0 ]; then echo "Failed to install in jetty."; exit 1; fi

rm -rf $scratch
 It is a good idea to deploy the certificate from a directory outside /opt/zimbra/ssl/zimbra/commercial/. 
 It is not necessary to copy all files to that directory, the only file that you need to copy is the private key (commercial.key).
 You should do the verifycrt and the deploycrt from the /root/certs.
 
 There is no need to manually add the chain to the cacerts java keystore.
 You can simply execute this command as ROOT and restart the mailbox service.
 /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
  su - zimbra
  zmmailboxdctl restart
 Please check the CA Provider web site to get the correct ca-bundle for the certificate you purchased.
 i.e. has "Essential CA" at this url https://support.comodo.com/index.php?_m=downloads&_a=downloadfile&downloaditemid=66
Verified Against: ZCS 6.0.x Date Created: 10/26/2010
Article ID: https://wiki.zimbra.com/index.php?title=Preexisting_Certifcate_Installation_for_Zimbra_6.0 Date Modified: 2012-03-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search