Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions
Line 98: | Line 98: | ||
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] | [paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] | ||
-----END RSA PRIVATE KEY-----" | -----END RSA PRIVATE KEY-----" | ||
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"'' | |||
cat /opt/zimbra/ssl/ssl/ca/ca.pem | cat /opt/zimbra/ssl/ssl/ca/ca.pem | ||
Line 104: | Line 106: | ||
-----END TRUSTED CERTIFICATE-----" | -----END TRUSTED CERTIFICATE-----" | ||
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"'' | |||
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra) | * You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra) | ||
zmprov -l gcf zimbraCertAuthorityKeySelfSigned | zmprov -l gcf zimbraCertAuthorityKeySelfSigned | ||
zmprov -l gcf zimbraCertAuthorityCertSelfSigned | zmprov -l gcf zimbraCertAuthorityCertSelfSigned | ||
===Restart zimbra services=== | ===Restart zimbra services=== |
Revision as of 10:03, 29 May 2007
Self Signed Certificate Instructions
If you're working with a commercial certificate, do *NOT* use this page - go here instead
- To clean up SSL certificates and recreate a new self-signed cert try this.
Why recreate my certificates
If you're seeing an error like this when you run zmprov:
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006 ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
your certs are expired, and need to be recreated
Back up existing certificates
- This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
- This backs up the server's working certificate files:
cd /opt/zimbra/ tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts
Delete and re-create SSL Directory (as root)
su - rm -rf /opt/zimbra/ssl mkdir /opt/zimbra/ssl chown zimbra:zimbra /opt/zimbra/ssl
Give the zimbra user write access to the cacerts keystore
- On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
- On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
Remove the self-signed root certificate from the cacerts keystore (as zimbra)
- Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
- Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
Delete the server cert from the tomcat keystore (as zimbra)
su - zimbra keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
Perform optional configuration
- If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in
Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228
- If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in [change section to appear as below] 0.organizationName = Zimbra 0.organizationName_default = Zimbra # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Zimbra organizationalUnitName_default = Zimbra commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work> commonName_max = 64 commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
Create the CA certificate (as zimbra)
zmcreateca
- (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
... Signature ok subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname> Getting Private key unable to write 'random state'
Install server ca files
- After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
Create the server certificate (as zimbra)
zmcreatecert
If you wish to have several names on the certificate, supply them as arguments
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com
Install the server certificate files (as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
- I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY----- [paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END RSA PRIVATE KEY-----" zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"
cat /opt/zimbra/ssl/ssl/ca/ca.pem zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE----- [paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI] -----END TRUSTED CERTIFICATE-----" zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"
- You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov -l gcf zimbraCertAuthorityKeySelfSigned zmprov -l gcf zimbraCertAuthorityCertSelfSigned
Restart zimbra services
- It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop zmcontrol start
Other Possible Issues
Note about 'unable to write random state':
This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.
Permission denied (publickey,gssapi-with-mic)
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html