Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions
(some style changes) |
|||
Line 3: | Line 3: | ||
===WARNINGS=== | ===WARNINGS=== | ||
* ''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates]] instead'' | |||
* Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes. | |||
* V5.0 will include a certificates area in your tools section of the admin interface so you might try using that first. | |||
To clean up SSL certificates and recreate a new self-signed cert: | To clean up SSL certificates and recreate a new self-signed cert: |
Revision as of 00:48, 7 April 2008
Self Signed Certificate Instructions
WARNINGS
- If you're working with a commercial certificate, do *NOT* use this page - go Commercial Certificates instead
- Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes.
- V5.0 will include a certificates area in your tools section of the admin interface so you might try using that first.
To clean up SSL certificates and recreate a new self-signed cert:
Why recreate my certificates
If you're seeing an error like this when you run zmprov:
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006 ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
your certs are expired, and need to be recreated
Back up existing certificates
- This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
- This backs up the server's working certificate files:
cd /opt/zimbra/ tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts
Delete and re-create SSL Directory (as root)
su - rm -rf /opt/zimbra/ssl mkdir /opt/zimbra/ssl chown zimbra:zimbra /opt/zimbra/ssl
Give the zimbra user write access to the cacerts keystore
- On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
- On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
Remove the self-signed root certificate from the cacerts keystore (as zimbra)
- Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
- Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
Delete the server cert from the mailboxd keystore (as zimbra)
- For ZCS upto 4.5.x (tomcat)
su - zimbra keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
- For ZCS 5.0+ (mailboxd/jetty)
su - zimbra keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
- Storepass is normally stored in localconfig
su - zimbra zmlocalconfig -s -m nokey tomcat_keystore_password
or for 5.0 (jetty)
su - zimbra zmlocalconfig -s -m nokey mailboxd_keystore_password
Perform optional configuration
- If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in
Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228
- If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in [change section to appear as below] 0.organizationName = Zimbra 0.organizationName_default = Zimbra # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Zimbra organizationalUnitName_default = Zimbra commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work> commonName_max = 64 commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
Create the CA certificate (as zimbra)
- for 4.*
zmcreateca
- for 5.* (as root)
/opt/zimbra/bin/zmcertmgr createca -new
- (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
... Signature ok subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname> Getting Private key unable to write 'random state'
Install server ca files
- After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra, 4.*):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
- 5.* (as root)
/opt/zimbra/bin/zmcertmgr deployca -localonly
Create the server certificate (as zimbra)
- 4.*
zmcreatecert
- 5.* (as root)
/opt/zimbra/bin/zmcertmgr createcrt self -new # Optional /opt/zimbra/bin/zmcertmgr verifycrt self
If you wish to have several names on the certificate, supply them as arguments
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com
Install the server certificate files (as zimbra)
- For Tomcat (ZCS upto 4.5.x)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
- For Mailboxd (ZCS < 5.0.3)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
- To update CA cert stored in LDAP (as zimbra, 4.x):
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`" zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"
- 5.x (as root)
/opt/zimbra/bin/zmcertmgr deploycrt self
- You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov -l gcf zimbraCertAuthorityKeySelfSigned zmprov -l gcf zimbraCertAuthorityCertSelfSigned
Restart zimbra services
- It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop zmcontrol start
Other Possible Issues
Note about 'unable to write random state':
This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.
Permission denied (publickey,gssapi-with-mic)
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html