Difference between revisions of "Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0"
(maybe bug in zmcreateca? doesn't copy ca.pem, ca.key to /opt/zimbra/conf/ca) |
(added steps to update CA key and cert certificates stored in LDAP and cleaned up format) |
||
| Line 1: | Line 1: | ||
== Self Signed Certificate Instructions == | == Self Signed Certificate Instructions == | ||
| − | ''If you're working with a commercial certificate, | + | ''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead'' |
| − | To clean up SSL certificates and recreate a new self-signed cert try this. | + | * To clean up SSL certificates and recreate a new self-signed cert try this. |
| − | it won't hurt to back up what you already have: | + | * First though, it won't hurt to back up what you already have: |
| − | + | tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/ | |
| − | |||
| − | |||
| − | as root: | + | * (EVERYBODY) Delete and re-create SSL Directory (as root): |
| − | + | su - | |
| − | + | rm -rf /opt/zimbra/ssl | |
| − | + | mkdir /opt/zimbra/ssl | |
| − | + | chown zimbra:zimbra /opt/zimbra/ssl | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | * (LINUX ONLY) Additional Steps: | |
| + | chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts | ||
| + | chmod 644 /opt/zimbra/java/jre/lib/security/cacerts | ||
| − | ( | + | * (EVERYBODY) Delete CA |
| − | + | (Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root: | |
| + | keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br> | ||
| + | (LINUX ONLY) | ||
| + | su - zimbra | ||
| + | keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit | ||
| − | ( | + | * (EVERYBODY) Delete Tomcat cert (as zimbra): |
| − | + | su - zimbra | |
| − | + | keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra | |
| + | * If you want the certificate to last longer than 365 days (as zimbra) | ||
| + | vi /opt/zimbra/conf/zmssl.cnf.in | ||
| + | [change value for default_days as appropriate] | ||
| − | ( | + | * Now create the CA (as zimbra) |
| + | zmcreateca | ||
| − | + | * After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra): | |
| − | + | cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key | |
| + | cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | ||
| − | ( | + | * Now create the Cert (as zimbra) |
| + | zmcreatecert | ||
| − | + | * Now install the Cert and Key (as zimbra) | |
| + | zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt | ||
| + | zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key | ||
| − | + | * I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra): | |
| − | + | cat /opt/zimbra/ssl/ssl/ca/ca.key | |
| − | + | zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY----- | |
| + | [paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] | ||
| + | -----END RSA PRIVATE KEY-----" | ||
| − | + | cat /opt/zimbra/ssl/ssl/ca/ca.pem | |
| − | + | zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE----- | |
| − | + | [paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI] | |
| − | + | -----END TRUSTED CERTIFICATE-----" | |
| + | |||
| + | * You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra) | ||
| + | zmprov gcf zimbraCertAuthorityKeySelfSigned | ||
| + | zmprov gcf zimbraCertAuthorityCertSelfSigned | ||
| − | It may be necessary to restart the Zimbra servers for the changes to take effect. | + | * It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra). |
| − | + | zmcontrol stop | |
| − | + | zmcontrol start | |
| − | |||
| − | |||
| − | |||
| − | ==unable to write random state== | + | ==Note about 'unable to write random state'== |
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org. | This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org. | ||
Revision as of 03:30, 16 November 2006
Self Signed Certificate Instructions
If you're working with a commercial certificate, do *NOT* use this page - go here instead
- To clean up SSL certificates and recreate a new self-signed cert try this.
- First though, it won't hurt to back up what you already have:
tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
- (EVERYBODY) Delete and re-create SSL Directory (as root):
su - rm -rf /opt/zimbra/ssl mkdir /opt/zimbra/ssl chown zimbra:zimbra /opt/zimbra/ssl
- (LINUX ONLY) Additional Steps:
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
- (EVERYBODY) Delete CA
(Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root: keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
(LINUX ONLY) su - zimbra keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
- (EVERYBODY) Delete Tomcat cert (as zimbra):
su - zimbra keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
- If you want the certificate to last longer than 365 days (as zimbra)
vi /opt/zimbra/conf/zmssl.cnf.in [change value for default_days as appropriate]
- Now create the CA (as zimbra)
zmcreateca
- After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
- Now create the Cert (as zimbra)
zmcreatecert
- Now install the Cert and Key (as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
- I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY----- [paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END RSA PRIVATE KEY-----"
cat /opt/zimbra/ssl/ssl/ca/ca.pem zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE----- [paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END TRUSTED CERTIFICATE-----"
- You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov gcf zimbraCertAuthorityKeySelfSigned zmprov gcf zimbraCertAuthorityCertSelfSigned
- It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop zmcontrol start
Note about 'unable to write random state'
This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.
