Difference between revisions of "Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0"

(Clarifying introduction and restructuring sections)
(Adding Article Footer & minor editing)
Line 1: Line 1:
 
This article contains information on recreating a self-signed SSL certificate.   
 
This article contains information on recreating a self-signed SSL certificate.   
  
'''''Important:'''If you are working with a commercial certificate, do not use this page.''
+
'''''Important:''' If you are working with a commercial certificate, do not use this page.''
  
=Note on ZCS Versions=
+
=ZCS Version=
  
 
This article contains information for both ZCS 4.5.x and 5.0.x. Please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate.  If you are using ZCS 5.0, it is recommended that you first try using the Administration Console Certificates tool, discussed further in the [[Administration_Console_and_CLI_Certificate_Tools]] Article. This tool simplifies and speeds the process of recreating a self-signed SSL certificate.
 
This article contains information for both ZCS 4.5.x and 5.0.x. Please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate.  If you are using ZCS 5.0, it is recommended that you first try using the Administration Console Certificates tool, discussed further in the [[Administration_Console_and_CLI_Certificate_Tools]] Article. This tool simplifies and speeds the process of recreating a self-signed SSL certificate.
Line 157: Line 157:
  
 
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html
 
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html
 +
 +
{{Article Footer|ZCS 4.5.x & 5.0.x|2/23/2006}}
  
 
[[Category:SSL/TLS]]
 
[[Category:SSL/TLS]]

Revision as of 00:09, 20 September 2008

This article contains information on recreating a self-signed SSL certificate.

Important: If you are working with a commercial certificate, do not use this page.

ZCS Version

This article contains information for both ZCS 4.5.x and 5.0.x. Please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate. If you are using ZCS 5.0, it is recommended that you first try using the Administration Console Certificates tool, discussed further in the Administration_Console_and_CLI_Certificate_Tools Article. This tool simplifies and speeds the process of recreating a self-signed SSL certificate.


To clean up SSL certificates and recreate a new self-signed cert:

Why Recreate My Certificates?

Your certificates are expired and need to be recreated if you see an error like this when you run zmprov.

[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost)    
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

Instructions for Recreating a Self-Signed SSL Certificate

Back up existing certificates

  • This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • This backs up the server's working certificate files:
cd /opt/zimbra/
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts

Delete and re-create SSL Directory (as root)

su -
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl

Give the zimbra user write access to the cacerts keystore (4.5 only)

If you are running ZCS 4.5, give the zimbra user write access to the cacerts keystore. If you are running ZCS 5.0.x, skip this step.

  • On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  • On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

Remove the self-signed root certificate from the cacerts keystore (as zimbra)

  • Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
  • Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Delete the server cert from the mailboxd keystore (as zimbra)

  • For ZCS upto 4.5.x (tomcat)
su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  • For ZCS 5.0+ (mailboxd/jetty)
su - zimbra
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
  • Storepass is normally stored in localconfig
su - zimbra
zmlocalconfig -s -m nokey tomcat_keystore_password

or for 5.0 (jetty)

su - zimbra
zmlocalconfig -s -m nokey mailboxd_keystore_password

Perform optional configuration

  • If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in

Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228

  • If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in
[change section to appear as below]
0.organizationName              = Zimbra
0.organizationName_default      = Zimbra
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Zimbra
organizationalUnitName_default  = Zimbra
commonName                      = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
commonName_max                  = 64
commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>

Create the CA certificate (as zimbra)

  • for 4.*
zmcreateca
  • for 5.* (as root)
/opt/zimbra/bin/zmcertmgr createca -new
  • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
...
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
Getting Private key
unable to write 'random state'

Install server ca files

  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra, 4.*):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  • 5.* (as root)
/opt/zimbra/bin/zmcertmgr deployca -localonly

Create the server certificate (as zimbra)

  • 4.*
zmcreatecert
  • 5.* (as root)
/opt/zimbra/bin/zmcertmgr createcrt self -new
# Optional
/opt/zimbra/bin/zmcertmgr verifycrt self

If you wish to have several names on the certificate, supply them as arguments

zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

Install the server certificate files (as zimbra)

  • For Tomcat (ZCS upto 4.5.x)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • For Mailboxd (ZCS < 5.0.3)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • To update CA cert stored in LDAP (as zimbra, 4.x):
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"
  • 5.x (as root)
/opt/zimbra/bin/zmcertmgr deploycrt self
 
  • You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov -l gcf zimbraCertAuthorityKeySelfSigned 
zmprov -l gcf zimbraCertAuthorityCertSelfSigned

Restart zimbra services

  • It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop
zmcontrol start

Troubleshooting

Note about 'unable to write random state':

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Permission denied (publickey,gssapi-with-mic)

http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html

Verified Against: ZCS 4.5.x & 5.0.x Date Created: 2/23/2006
Article ID: https://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0 Date Modified: 2008-09-20



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search