Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions
Line 5: | Line 5: | ||
* To clean up SSL certificates and recreate a new self-signed cert try this. | * To clean up SSL certificates and recreate a new self-signed cert try this. | ||
===Back up existing certificates=== | |||
* This backs up the default certificates created by zmcreateca and zmcreatecert: | |||
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/ | tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/ | ||
* This backs up the server's working certificate files: | |||
cd /opt/zimbra/ | cd /opt/zimbra/ | ||
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts | tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts | ||
===Delete and re-create SSL Directory (as root)=== | |||
su - | su - | ||
rm -rf /opt/zimbra/ssl | rm -rf /opt/zimbra/ssl | ||
Line 20: | Line 20: | ||
chown zimbra:zimbra /opt/zimbra/ssl | chown zimbra:zimbra /opt/zimbra/ssl | ||
* | ===Give the zimbra user write access to the cacerts keystore=== | ||
* On linux the java cacerts file is a part of the ZCS installation. | |||
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts | chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts | ||
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts | chmod 644 /opt/zimbra/java/jre/lib/security/cacerts | ||
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user. | |||
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts | |||
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts | |||
* | ===Remove the self-signed root certificate from the cacerts keystore=== | ||
* Mac OS X | |||
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br> | keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br> | ||
* Linux | |||
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit | keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit | ||
===Delete the server cert from the tomcat keystore (as zimbra)=== | |||
su - zimbra | su - zimbra | ||
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra | keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra | ||
* | ===Perform optional configuration=== | ||
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in | |||
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228 | ''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228 | ||
* | * If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me. | ||
vi /opt/zimbra/conf/zmssl.cnf.in | vi /opt/zimbra/conf/zmssl.cnf.in | ||
[change section to appear as below] | [change section to appear as below] | ||
Line 54: | Line 57: | ||
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work> | commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work> | ||
===Create the CA certificate (as zimbra)=== | |||
zmcreateca | zmcreateca | ||
Line 64: | Line 67: | ||
unable to write 'random state' | unable to write 'random state' | ||
===Install server ca files=== | |||
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra): | * After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra): | ||
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key | cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key | ||
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | ||
===Create the server certificate (as zimbra)=== | |||
zmcreatecert | zmcreatecert | ||
===Install the server certificate files(as zimbra)=== | |||
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt | zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt | ||
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key | zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key | ||
Line 90: | Line 94: | ||
zmprov gcf zimbraCertAuthorityCertSelfSigned | zmprov gcf zimbraCertAuthorityCertSelfSigned | ||
===Restart zimbra services=== | |||
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra). | * It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra). | ||
zmcontrol stop | zmcontrol stop |
Revision as of 03:35, 7 December 2006
Self Signed Certificate Instructions
If you're working with a commercial certificate, do *NOT* use this page - go here instead
- To clean up SSL certificates and recreate a new self-signed cert try this.
Back up existing certificates
- This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
- This backs up the server's working certificate files:
cd /opt/zimbra/ tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts
Delete and re-create SSL Directory (as root)
su - rm -rf /opt/zimbra/ssl mkdir /opt/zimbra/ssl chown zimbra:zimbra /opt/zimbra/ssl
Give the zimbra user write access to the cacerts keystore
- On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
- On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
Remove the self-signed root certificate from the cacerts keystore
- Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
- Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
Delete the server cert from the tomcat keystore (as zimbra)
su - zimbra keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
Perform optional configuration
- If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in
Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228
- If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in [change section to appear as below] 0.organizationName = Zimbra 0.organizationName_default = Zimbra # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Zimbra organizationalUnitName_default = Zimbra commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work> commonName_max = 64 commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
Create the CA certificate (as zimbra)
zmcreateca
- (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
... Signature ok subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname> Getting Private key unable to write 'random state'
Install server ca files
- After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
Create the server certificate (as zimbra)
zmcreatecert
Install the server certificate files(as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
- I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY----- [paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END RSA PRIVATE KEY-----"
cat /opt/zimbra/ssl/ssl/ca/ca.pem zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE----- [paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END TRUSTED CERTIFICATE-----"
- You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov gcf zimbraCertAuthorityKeySelfSigned zmprov gcf zimbraCertAuthorityCertSelfSigned
Restart zimbra services
- It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop zmcontrol start
Note about 'unable to write random state'
This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.