Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions

Line 5: Line 5:
* To clean up SSL certificates and recreate a new self-signed cert try this.
* To clean up SSL certificates and recreate a new self-signed cert try this.


* First though, it won't hurt to back up what you already have.
===Back up existing certificates===


This backs up the default certificates created by zmcreateca and zmcreatecert:
* This backs up the default certificates created by zmcreateca and zmcreatecert:
  tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/


This backs up the server's working certificate files:
* This backs up the server's working certificate files:
  cd /opt/zimbra/
  cd /opt/zimbra/
  tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts
  tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts


* (EVERYBODY) Delete and re-create SSL Directory (as root):
===Delete and re-create SSL Directory (as root)===
  su -
  su -
  rm -rf /opt/zimbra/ssl
  rm -rf /opt/zimbra/ssl
Line 20: Line 20:
  chown zimbra:zimbra /opt/zimbra/ssl
  chown zimbra:zimbra /opt/zimbra/ssl


* (LINUX ONLY) Additional Steps:
===Give the zimbra user write access to the cacerts keystore===
* On linux the java cacerts file is a part of the ZCS installation.
  chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
  chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
  chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts


* (EVERYBODY) Delete CA
===Remove the self-signed root certificate from the cacerts keystore===
(Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root:
* Mac OS X
  keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
  keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
(LINUX ONLY)
* Linux
su - zimbra
  keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit


* (EVERYBODY) Delete Tomcat cert (as zimbra):
===Delete the server cert from the tomcat keystore (as zimbra)===
  su - zimbra
  su - zimbra
  keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra


* (OPTIONAL) If you want the certificate to last longer than 365 days (as zimbra)
===Perform optional configuration===
vi /opt/zimbra/conf/zmssl.cnf.in
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in
[change value for default_days as appropriate]
 
''Workaround: zmssl.cnf.in default_days is ingnored.  Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228
''Workaround: zmssl.cnf.in default_days is ingnored.  Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228


* (OPTIONAL) If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers.  Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers.  Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
  vi /opt/zimbra/conf/zmssl.cnf.in
  vi /opt/zimbra/conf/zmssl.cnf.in
  [change section to appear as below]
  [change section to appear as below]
Line 54: Line 57:
  commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
  commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>


* Now create the CA (as zimbra)
===Create the CA certificate (as zimbra)===
  zmcreateca
  zmcreateca


Line 64: Line 67:
  unable to write 'random state'
  unable to write 'random state'


===Install server ca files===
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
  cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
  cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
  cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem


* Now create the Cert (as zimbra)
===Create the server certificate (as zimbra)===
  zmcreatecert
  zmcreatecert


* Now install the Cert and Key (as zimbra)
===Install the server certificate files(as zimbra)===
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
Line 90: Line 94:
  zmprov gcf zimbraCertAuthorityCertSelfSigned  
  zmprov gcf zimbraCertAuthorityCertSelfSigned  


===Restart zimbra services===
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
  zmcontrol stop
  zmcontrol stop

Revision as of 03:35, 7 December 2006

Self Signed Certificate Instructions

If you're working with a commercial certificate, do *NOT* use this page - go here instead

  • To clean up SSL certificates and recreate a new self-signed cert try this.

Back up existing certificates

  • This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • This backs up the server's working certificate files:
cd /opt/zimbra/
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts

Delete and re-create SSL Directory (as root)

su -
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl

Give the zimbra user write access to the cacerts keystore

  • On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  • On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

Remove the self-signed root certificate from the cacerts keystore

  • Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
  • Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Delete the server cert from the tomcat keystore (as zimbra)

su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Perform optional configuration

  • If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in

Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228

  • If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in
[change section to appear as below]
0.organizationName              = Zimbra
0.organizationName_default      = Zimbra
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Zimbra
organizationalUnitName_default  = Zimbra
commonName                      = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
commonName_max                  = 64
commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>

Create the CA certificate (as zimbra)

zmcreateca
  • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
...
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
Getting Private key
unable to write 'random state'

Install server ca files

  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem

Create the server certificate (as zimbra)

zmcreatecert

Install the server certificate files(as zimbra)

zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END RSA PRIVATE KEY-----"
cat /opt/zimbra/ssl/ssl/ca/ca.pem
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE-----
[paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END TRUSTED CERTIFICATE-----"

  • You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov gcf zimbraCertAuthorityKeySelfSigned 
zmprov gcf zimbraCertAuthorityCertSelfSigned 

Restart zimbra services

  • It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop
zmcontrol start

Note about 'unable to write random state'

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Jump to: navigation, search