Difference between revisions of "Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0"

m (Self Signed Certificate Instructions)
(maybe bug in zmcreateca? doesn't copy ca.pem, ca.key to /opt/zimbra/conf/ca)
Line 35: Line 35:
 
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br>
 
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br>
  
(if you want certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)
+
(if you want the certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)
  
 
:zmcreateca<br>
 
:zmcreateca<br>
 +
 +
(after creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually):
 +
:cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
 +
:cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
 +
 
:zmcreatecert<br>
 
:zmcreatecert<br>
 
:zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br>
 
:zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br>

Revision as of 21:49, 15 November 2006

Self Signed Certificate Instructions

If you're working with a commercial certificate, don't use this page - go here instead

To clean up SSL certificates and recreate a new self-signed cert try this.

it won't hurt to back up what you already have:

tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/

as root:

rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
LINUX ONLY:
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts

(on mac os x, this file is owned by root so you'll get "permission denied" if you don't import as root:)

keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit

(on linux: )

su - zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit


(back to everybody:)

su - zimbra

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

(if you want the certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)

zmcreateca

(after creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually):

cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
zmcreatecert
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key

It may be necessary to restart the Zimbra servers for the changes to take effect.

su - zimbra
zmcontrol stop
zmcontrol start

unable to write random state

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Jump to: navigation, search