Difference between revisions of "Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0"

(maybe bug in zmcreateca? doesn't copy ca.pem, ca.key to /opt/zimbra/conf/ca)
(added steps to update CA key and cert certificates stored in LDAP and cleaned up format)
Line 1: Line 1:
 
== Self Signed Certificate Instructions ==
 
== Self Signed Certificate Instructions ==
  
''If you're working with a commercial certificate, don't use this page - go [[Commercial Certificates|here]] instead''
+
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''
  
To clean up SSL certificates and recreate a new self-signed cert try this.
+
* To clean up SSL certificates and recreate a new self-signed cert try this.
  
it won't hurt to back up what you already have:
+
* First though, it won't hurt to back up what you already have:
<tt>
+
tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
:tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
 
</tt>
 
  
as root:<br>
+
* (EVERYBODY) Delete and re-create SSL Directory (as root):
<tt>
+
su -
:rm -rf /opt/zimbra/ssl
+
rm -rf /opt/zimbra/ssl
:mkdir /opt/zimbra/ssl
+
mkdir /opt/zimbra/ssl
:chown zimbra:zimbra /opt/zimbra/ssl
+
chown zimbra:zimbra /opt/zimbra/ssl
:LINUX ONLY:
 
:chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
 
:chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
 
</tt>
 
  
<tt>
+
* (LINUX ONLY) Additional Steps:
 +
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
 +
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  
(on mac os x, this file is owned by root so you'll get "permission denied" if you don't import as root:)
+
* (EVERYBODY) Delete CA
:keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
+
(Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root:
 +
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
 +
(LINUX ONLY)
 +
su - zimbra
 +
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  
(on linux: )
+
* (EVERYBODY) Delete Tomcat cert (as zimbra):
: su - zimbra
+
su - zimbra
:keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br>
+
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  
 +
* If you want the certificate to last longer than 365 days (as zimbra)
 +
vi /opt/zimbra/conf/zmssl.cnf.in
 +
[change value for default_days as appropriate]
  
(back to everybody:)
+
* Now create the CA (as zimbra)
 +
zmcreateca
  
su - zimbra
+
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br>
+
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
 +
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  
(if you want the certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)
+
* Now create the Cert (as zimbra)
 +
zmcreatecert
  
:zmcreateca<br>
+
* Now install the Cert and Key (as zimbra)
 +
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
 +
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  
(after creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually):
+
* I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
:cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
+
cat /opt/zimbra/ssl/ssl/ca/ca.key
:cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
+
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
 +
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI]
 +
-----END RSA PRIVATE KEY-----"
  
:zmcreatecert<br>
+
cat /opt/zimbra/ssl/ssl/ca/ca.pem
:zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br>
+
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE-----
:zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br>
+
[paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI]
</tt>
+
-----END TRUSTED CERTIFICATE-----"
 +
 +
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
 +
zmprov gcf zimbraCertAuthorityKeySelfSigned
 +
zmprov gcf zimbraCertAuthorityCertSelfSigned
  
It may be necessary to restart the Zimbra servers for the changes to take effect.
+
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
<tt>
+
zmcontrol stop
:su - zimbra<br>
+
zmcontrol start
:zmcontrol stop<br>
 
:zmcontrol start<br>
 
</tt>
 
  
==unable to write random state==
+
==Note about 'unable to write random state'==
 
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.
 
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.

Revision as of 03:30, 16 November 2006

Self Signed Certificate Instructions

If you're working with a commercial certificate, do *NOT* use this page - go here instead

  • To clean up SSL certificates and recreate a new self-signed cert try this.
  • First though, it won't hurt to back up what you already have:
tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • (EVERYBODY) Delete and re-create SSL Directory (as root):
su -
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
  • (LINUX ONLY) Additional Steps:
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  • (EVERYBODY) Delete CA
(Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root:
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
(LINUX ONLY) su - zimbra keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  • (EVERYBODY) Delete Tomcat cert (as zimbra):
su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  • If you want the certificate to last longer than 365 days (as zimbra)
vi /opt/zimbra/conf/zmssl.cnf.in
[change value for default_days as appropriate]
  • Now create the CA (as zimbra)
zmcreateca
  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  • Now create the Cert (as zimbra)
zmcreatecert
  • Now install the Cert and Key (as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END RSA PRIVATE KEY-----"
cat /opt/zimbra/ssl/ssl/ca/ca.pem
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE-----
[paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END TRUSTED CERTIFICATE-----"

  • You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov gcf zimbraCertAuthorityKeySelfSigned 
zmprov gcf zimbraCertAuthorityCertSelfSigned 
  • It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop
zmcontrol start

Note about 'unable to write random state'

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Jump to: navigation, search