Preexisting Certifcate Installation for Zimbra 6.0: Difference between revisions

No edit summary
No edit summary
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 6.0}}||}}Zimbra makes it extremely easy to install either a self-signed certificate or a commercial certificate specific to the Zimbra server. If, on the other hand, you want to install a certificate you created somewhere else (such as a wildcard certificate for your domain) the procedure is a bit more involved.
{{Article Infobox|{{admin}}|{{ZCS 6.0}}||}}Zimbra makes it extremely easy to install either a self-signed certificate or a commercial certificate specific to the Zimbra server. If, on the other hand, you want to install a certificate you created somewhere else (such as a wildcard certificate for your domain) the procedure is a bit more involved.
First thing is to make sure that the file commercial_ca.crt contains all necessary CA Certs for a valid CA chain. With a COMODO Multi Domain Certificate you receive two CA certs: AddTrustExternalCARoot.crt and UTNAddTrustServerCA.crt This may apply to other commercial CAs too. Now we put the Certs in the appropriate file
cat AddTrustExternalCARoot.crt >> ca_bundle.crt
cat UTNAddTrustServerCA.crt >> ca_bundle.crt


Become root, make a directory to work in and bring the files over. There are lots of ways to do this; I used scp:
Become root, make a directory to work in and bring the files over. There are lots of ways to do this; I used scp:
Line 11: Line 16:
Now you need to rename the files to what Zimbra expects:
Now you need to rename the files to what Zimbra expects:


  mv domain.com.crt commercial.crt
  mv /root/certs/domain.com.crt /root/certs/commercial.crt
  mv domain.com.key commercial.key
  mv /root/certs/domain.com.key /root/certs/commercial.key
  mv ca_bundle.crt commercial_ca.crt
  mv /root/certs/ca_bundle.crt /root/certs/commercial_ca.crt


Next you put the key file in two places where Zimbra expects it:
Next you put the key file in two places where Zimbra expects it:


  cp commercial.key /opt/zimbra/ssl/zimbra
  cp /root/certs/commercial.key /opt/zimbra/ssl/zimbra
  mv commercial.key /opt/zimbra/ssl/zimbra/commercial
cp /root/certs/commercial.crt /opt/zimbra/ssl/zimbra
cp /root/certs/commercial_ca.crt /opt/zimbra/zimbra
 
  mv /root/certs/commercial.key /opt/zimbra/ssl/zimbra/commercial


Then you use Zimbra's fancy certificate importer tools. Note the last command spans two lines...either use the backslash as indicated, or paste both lines into one command, leaving the backslash out. Also, the password really is "changeit" ...don't be like me and screw around forever trying to figure out what to change it to.
Then you use Zimbra's fancy certificate importer tools. First we check if we really have a matching pair of .key and .crt files:


  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
If you see something like
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
Valid Certificate: commercial.crt: OK
everything is O.K. Now we need to deploy the cert:
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
  /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
  /opt/zimbra/java/bin/keytool -import -alias root -keystore\
 
The response should be something like
 
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
 
Finally we need the new cert to be deployed on jetty. Note that the last command spans two lines... either use the backslash as indicated, or paste both lines into one command, leaving the backslash out. Also, the password really is "changeit" ... don't be like me and screw around forever trying to figure out what to change it to.
 
  /opt/zimbra/java/bin/keytool -import -alias root -keystore \
  /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem
  /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem


Then you restart Zimbra:
In most cases (if you redeploy a cert with the same .csr for a new time period) you will get:
 
Certificate already exists in keystore under alias <zcs-user-commercial_ca>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
 
Last but not least restart Zimbra:


  /etc/init.d/zimbra restart
  /etc/init.d/zimbra restart


Now we're done. To check if everything is working like expected you can verify the new cert in the Zimbra Admin GUI.


{{Article Footer|ZCS 6.0.x|03/04/2010}}
{{Article Footer|ZCS 6.0.x|10/26/2010}}


[[Category:Certificates]]
[[Category:Certificates]]
[[Category:ZCS 6.0]]
[[Category:ZCS 6.0]]

Revision as of 19:57, 26 October 2010

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 6.0 Article ZCS 6.0

Zimbra makes it extremely easy to install either a self-signed certificate or a commercial certificate specific to the Zimbra server. If, on the other hand, you want to install a certificate you created somewhere else (such as a wildcard certificate for your domain) the procedure is a bit more involved.

First thing is to make sure that the file commercial_ca.crt contains all necessary CA Certs for a valid CA chain. With a COMODO Multi Domain Certificate you receive two CA certs: AddTrustExternalCARoot.crt and UTNAddTrustServerCA.crt This may apply to other commercial CAs too. Now we put the Certs in the appropriate file

cat AddTrustExternalCARoot.crt >> ca_bundle.crt
cat UTNAddTrustServerCA.crt >> ca_bundle.crt

Become root, make a directory to work in and bring the files over. There are lots of ways to do this; I used scp:

mkdir /root/certs
cd /root/certs
scp user@otherserver.domain.com:domain.com.crt .
scp user@otherserver.domain.com:domain.com.key .
scp user@otherserver.domain.com:ca_bundle.crt .

Now you need to rename the files to what Zimbra expects:

mv /root/certs/domain.com.crt /root/certs/commercial.crt
mv /root/certs/domain.com.key /root/certs/commercial.key
mv /root/certs/ca_bundle.crt /root/certs/commercial_ca.crt

Next you put the key file in two places where Zimbra expects it:

cp /root/certs/commercial.key /opt/zimbra/ssl/zimbra
cp /root/certs/commercial.crt /opt/zimbra/ssl/zimbra
cp /root/certs/commercial_ca.crt /opt/zimbra/zimbra
mv /root/certs/commercial.key /opt/zimbra/ssl/zimbra/commercial

Then you use Zimbra's fancy certificate importer tools. First we check if we really have a matching pair of .key and .crt files:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt

If you see something like

** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
Valid Certificate: commercial.crt: OK

everything is O.K. Now we need to deploy the cert:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

The response should be something like

** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Finally we need the new cert to be deployed on jetty. Note that the last command spans two lines... either use the backslash as indicated, or paste both lines into one command, leaving the backslash out. Also, the password really is "changeit" ... don't be like me and screw around forever trying to figure out what to change it to.

/opt/zimbra/java/bin/keytool -import -alias root -keystore \
/opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

In most cases (if you redeploy a cert with the same .csr for a new time period) you will get:

Certificate already exists in keystore under alias <zcs-user-commercial_ca>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

Last but not least restart Zimbra:

/etc/init.d/zimbra restart

Now we're done. To check if everything is working like expected you can verify the new cert in the Zimbra Admin GUI.

Verified Against: ZCS 6.0.x Date Created: 10/26/2010
Article ID: https://wiki.zimbra.com/index.php?title=Preexisting_Certifcate_Installation_for_Zimbra_6.0 Date Modified: 2010-10-26



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search