Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions

No edit summary
(46 intermediate revisions by 15 users not shown)
Line 1: Line 1:
== Self Signed Certificate Instructions ==
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Recreating a Self Signed SSL Certificate in ZCS 4.5 & 5.0=
{{KB|{{Unsupported}}|{{ZCS 5.0}}||}}
{{Archive}}{{WIP}}
This article contains information on recreating a self-signed SSL certificate. 


''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''
'''''Important:''' If you are using ZCS 5.0 or later, see [[Administration Console and CLI Certificate Tools]]


* To clean up SSL certificates and recreate a new self-signed cert try this.
'''''Important:''' If you are working with a commercial certificate, do not use this page.''


=== Why recreate my certificates ===
=ZCS Version=
'''If you are using ZCS 5.0.x, this article is not recommended.  See [[Administration Console and CLI Certificate Tools]] instead.'''


If you're seeing an error like this when you run zmprov:
This article contains information for recreating a certificate using the command line interface in both ZCS 4.5.x and 5.0.x.  In deployments of 5.0.x and later, this process does not need to be done via the CLI.  Using the Administration Console Certificates Tools will simplify this process, and generally eliminates any issues or errors encountered by using the CLI. If you choose to recreate your SSL certificate manually instead of using the Administration Console Certificate Tools, please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate.
 
=Why Recreate My Certificates?=
 
Your certificates are expired and need to be recreated if you see an error like this when you run zmprov.


  [] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006
  [] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006
Line 13: Line 24:
  (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
  (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)


your certs are expired, and need to be recreated
=Instructions for Recreating a Self-Signed SSL Certificate=


===Back up existing certificates===
==Back up existing certificates==


* This backs up the default certificates created by zmcreateca and zmcreatecert:
* This backs up the default certificates created by zmcreateca and zmcreatecert:
Line 21: Line 32:


* This backs up the server's working certificate files:
* This backs up the server's working certificate files:
cd /opt/zimbra/
  tar cf /tmp/zimbra-certs.tar /opt/zimbra/conf/ca/ \
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts
    /opt/zimbra/conf/*.crt \
    /opt/zimbra/conf/*.key \
    /opt/zimbra/conf/*.pem \
    /opt/zimbra/tomcat/conf/keystore \
    /opt/zimbra/java/jre/lib/security/cacerts
 
''Error in instructions: Tar for 5.0 doesnt capture the keys in jetty for 5.0+''


===Delete and re-create SSL Directory (as root)===
==Delete and re-create SSL Directory (as root)==
  su -
  su -
  rm -rf /opt/zimbra/ssl
  rm -rf /opt/zimbra/ssl
Line 30: Line 47:
  chown zimbra:zimbra /opt/zimbra/ssl
  chown zimbra:zimbra /opt/zimbra/ssl


===Give the zimbra user write access to the cacerts keystore===
==Give the zimbra user write access to the cacerts keystore (4.5 only)==
If you are running ZCS 4.5, give the zimbra user write access to the cacerts keystore.  If you are running ZCS 5.0.x, skip this step.
 
* On linux the java cacerts file is a part of the ZCS installation.
* On linux the java cacerts file is a part of the ZCS installation.
  chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
  chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
Line 38: Line 57:
  chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
  chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts


===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===
==Remove the self-signed root certificate from the cacerts keystore (as zimbra)==
* Mac OS X
* Mac OS X
  keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
  keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br>
Line 44: Line 63:
  keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit


===Delete the server cert from the mailboxd keystore (as zimbra)===
==Delete the server cert from the mailboxd keystore (as zimbra)==


For Tomcat
* For ZCS upto 4.5.x (tomcat)
  su - zimbra
  su - zimbra
  keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra


For Jetty
* For ZCS 5.0+ (mailboxd/jetty)
  su - zimbra
  su - zimbra
  keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
  keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra


===Perform optional configuration===
* Storepass is normally stored in localconfig
su - zimbra
zmlocalconfig -s -m nokey tomcat_keystore_password
 
or for 5.0 (jetty)
su - zimbra
zmlocalconfig -s -m nokey mailboxd_keystore_password
 
==Perform optional configuration==
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in


Line 73: Line 100:
  commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
  commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>


===Create the CA certificate (as zimbra)===
==Create the CA certificate (as zimbra)==
* for 4.*
  zmcreateca
  zmcreateca
* for 5.* (as root)
/opt/zimbra/bin/zmcertmgr createca -new


* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
Line 83: Line 114:
  unable to write 'random state'
  unable to write 'random state'


===Install server ca files===
==Install server ca files==
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra, 4.*):
  cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
  cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
  cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem


===Create the server certificate (as zimbra)===
* 5.* (as root)
/opt/zimbra/bin/zmcertmgr deployca -localonly
 
==Create the server certificate (as zimbra)==
* 4.*
  zmcreatecert
  zmcreatecert
* 5.* (as root)
/opt/zimbra/bin/zmcertmgr createcrt self -new
# Optional
/opt/zimbra/bin/zmcertmgr verifycrt self
  ''Error in instructions: There IS NO '''createcrt''' in zmcertmgr in 5.0.1_GA_1902:
  Usage:
  bin/zmcertmgr -help
  bin/zmcertmgr createca [-new]
  bin/zmcertmgr deployca
  bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  bin/zmcertmgr deploycrt <self> [-new] [validation_days]
  bin/zmcertmgr deploycrt <comm> [certfile] [ca_chain_file]
  bin/zmcertmgr viewcsr <self|comm> [csr_file]
  bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
  bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
  bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
  bin/zmcertmgr verifycrtchain <ca_file> <certfile>
  bin/zmcertmgr migrate
  ''Confirmed, version 5.0.2_GA_1975 doesnt have it either. Can do it by hand instead with openssl, but you'll have to manually enter your cert sign request info,
  and get the COMMON NAME (CN) correct or you'll have problems (createcrt outputs in its usage what your CN is, or you can check /opt/zimbra/conf/zmssl.cnf.in):
  #
  # as root manually generate new keys '''DO NOT PASTE ALL 3 LINES AT A TIME INTO CLI, DO ONE BY ONE''' input in 2nd step required from console
  cd /opt/zimbra/ssl/zimbra/server
  #
  openssl genrsa -out server.key 2048
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 365 -in server.csr -CA ../ca/ca.pem -CAkey ../ca/ca.key -CAcreateserial -out server.crt
  #
  openssl genrsa -out mailboxd.key 2048
  openssl req -new -key mailboxd.key -out mailboxd.csr
  openssl x509 -req -days 365 -in mailboxd.csr -CA ../ca/ca.pem -CAkey ../ca/ca.key -CAcreateserial -out mailboxd.crt
  #
  # some options in x509 certs mentioned in zmssl.cnf but not included here yet... seems to WFM... -mathx
''


If you wish to have several names on the certificate, supply them as arguments
If you wish to have several names on the certificate, supply them as arguments
Line 95: Line 167:
  zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com
  zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com


===Install the server certificate files (as zimbra)===
==Install the server certificate files (as zimbra)==
* For Tomcat (ZCS upto 4.5.x)
* For Tomcat (ZCS upto 4.5.x)
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key


* For Mailboxd (ZCS 5.0+)
* For Mailboxd (ZCS < 5.0.3)
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt
  zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key


* To update CA cert stored in LDAP (as zimbra):
  ''(Error: is no zmcertinstall in ZCS 5.0.2_GA_1975, just skip to deploycrt below)''
 
* To update CA cert stored in LDAP (as zimbra, 4.x):
  ''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''
  ''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''
  ''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''
  ''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''
* 5.x (as root)
/opt/zimbra/bin/zmcertmgr deploycrt self
    
    
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
Line 112: Line 189:
  zmprov -l gcf zimbraCertAuthorityCertSelfSigned
  zmprov -l gcf zimbraCertAuthorityCertSelfSigned


===Restart zimbra services===
==Restart zimbra services==
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
  zmcontrol stop
  zmcontrol stop
  zmcontrol start
  zmcontrol start


==Other Possible Issues==
=Troubleshooting=


'''Note about 'unable to write random state':'''
'''Note about 'unable to write random state':'''
Line 126: Line 203:


http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html
{{Article Footer|ZCS 4.5.x & 5.0.x|2/23/2006}}


[[Category:SSL/TLS]]
[[Category:SSL/TLS]]
[[Category:Troubleshooting]]
[[Category:Troubleshooting Certificates]]
[[Category:Certificates]]
[[Category:ZCS 4.5]]
[[Category:ZCS 5.0]]
[http://www.ssmatrix.com Cheap SSL Certificates]

Revision as of 20:40, 12 July 2015

Recreating a Self Signed SSL Certificate in ZCS 4.5 & 5.0

   KB 1299        Last updated on 2015-07-12  




0.00
(0 votes)

This article contains information on recreating a self-signed SSL certificate.

Important: If you are using ZCS 5.0 or later, see Administration Console and CLI Certificate Tools.

Important: If you are working with a commercial certificate, do not use this page.

ZCS Version

If you are using ZCS 5.0.x, this article is not recommended. See Administration Console and CLI Certificate Tools instead.

This article contains information for recreating a certificate using the command line interface in both ZCS 4.5.x and 5.0.x. In deployments of 5.0.x and later, this process does not need to be done via the CLI. Using the Administration Console Certificates Tools will simplify this process, and generally eliminates any issues or errors encountered by using the CLI. If you choose to recreate your SSL certificate manually instead of using the Administration Console Certificate Tools, please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate.

Why Recreate My Certificates?

Your certificates are expired and need to be recreated if you see an error like this when you run zmprov.

[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost)    
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

Instructions for Recreating a Self-Signed SSL Certificate

Back up existing certificates

  • This backs up the default certificates created by zmcreateca and zmcreatecert:
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • This backs up the server's working certificate files:
 tar cf /tmp/zimbra-certs.tar /opt/zimbra/conf/ca/ \
   /opt/zimbra/conf/*.crt \
   /opt/zimbra/conf/*.key \
   /opt/zimbra/conf/*.pem \
   /opt/zimbra/tomcat/conf/keystore \
   /opt/zimbra/java/jre/lib/security/cacerts

Error in instructions: Tar for 5.0 doesnt capture the keys in jetty for 5.0+

Delete and re-create SSL Directory (as root)

su -
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl

Give the zimbra user write access to the cacerts keystore (4.5 only)

If you are running ZCS 4.5, give the zimbra user write access to the cacerts keystore. If you are running ZCS 5.0.x, skip this step.

  • On linux the java cacerts file is a part of the ZCS installation.
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  • On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

Remove the self-signed root certificate from the cacerts keystore (as zimbra)

  • Mac OS X
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
  • Linux
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Delete the server cert from the mailboxd keystore (as zimbra)

  • For ZCS upto 4.5.x (tomcat)
su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  • For ZCS 5.0+ (mailboxd/jetty)
su - zimbra
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
  • Storepass is normally stored in localconfig
su - zimbra
zmlocalconfig -s -m nokey tomcat_keystore_password

or for 5.0 (jetty)

su - zimbra
zmlocalconfig -s -m nokey mailboxd_keystore_password

Perform optional configuration

  • If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in

Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228

  • If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in
[change section to appear as below]
0.organizationName              = Zimbra
0.organizationName_default      = Zimbra
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Zimbra
organizationalUnitName_default  = Zimbra
commonName                      = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
commonName_max                  = 64
commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>

Create the CA certificate (as zimbra)

  • for 4.*
zmcreateca
  • for 5.* (as root)
/opt/zimbra/bin/zmcertmgr createca -new
  • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
...
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
Getting Private key
unable to write 'random state'

Install server ca files

  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra, 4.*):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  • 5.* (as root)
/opt/zimbra/bin/zmcertmgr deployca -localonly

Create the server certificate (as zimbra)

  • 4.*
zmcreatecert
  • 5.* (as root)
/opt/zimbra/bin/zmcertmgr createcrt self -new
# Optional
/opt/zimbra/bin/zmcertmgr verifycrt self
 Error in instructions: There IS NO createcrt in zmcertmgr in 5.0.1_GA_1902:
 Usage: 
 bin/zmcertmgr -help
 bin/zmcertmgr createca [-new]
 bin/zmcertmgr deployca
 bin/zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
 bin/zmcertmgr deploycrt <self> [-new] [validation_days]
 bin/zmcertmgr deploycrt <comm> [certfile] [ca_chain_file]
 bin/zmcertmgr viewcsr <self|comm> [csr_file]
 bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
 bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
 bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
 bin/zmcertmgr verifycrtchain <ca_file> <certfile>
 bin/zmcertmgr migrate
 Confirmed, version 5.0.2_GA_1975 doesnt have it either. Can do it by hand instead with openssl, but you'll have to manually enter your cert sign request info,
 and get the COMMON NAME (CN) correct or you'll have problems (createcrt outputs in its usage what your CN is, or you can check /opt/zimbra/conf/zmssl.cnf.in):
 #
 # as root manually generate new keys DO NOT PASTE ALL 3 LINES AT A TIME INTO CLI, DO ONE BY ONE input in 2nd step required from console
 cd /opt/zimbra/ssl/zimbra/server
 #
 openssl genrsa -out server.key 2048
 openssl req -new -key server.key -out server.csr
 openssl x509 -req -days 365 -in server.csr -CA ../ca/ca.pem -CAkey ../ca/ca.key -CAcreateserial -out server.crt
 #
 openssl genrsa -out mailboxd.key 2048
 openssl req -new -key mailboxd.key -out mailboxd.csr
 openssl x509 -req -days 365 -in mailboxd.csr -CA ../ca/ca.pem -CAkey ../ca/ca.key -CAcreateserial -out mailboxd.crt
 #
 # some options in x509 certs mentioned in zmssl.cnf but not included here yet... seems to WFM... -mathx

If you wish to have several names on the certificate, supply them as arguments

zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

Install the server certificate files (as zimbra)

  • For Tomcat (ZCS upto 4.5.x)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • For Mailboxd (ZCS < 5.0.3)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
 (Error: is no zmcertinstall in ZCS 5.0.2_GA_1975, just skip to deploycrt below)
  • To update CA cert stored in LDAP (as zimbra, 4.x):
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"
  • 5.x (as root)
/opt/zimbra/bin/zmcertmgr deploycrt self
 
  • You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov -l gcf zimbraCertAuthorityKeySelfSigned 
zmprov -l gcf zimbraCertAuthorityCertSelfSigned

Restart zimbra services

  • It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop
zmcontrol start

Troubleshooting

Note about 'unable to write random state':

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Permission denied (publickey,gssapi-with-mic)

http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html

Verified Against: ZCS 4.5.x & 5.0.x Date Created: 2/23/2006
Article ID: https://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0 Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Cheap SSL Certificates

Jump to: navigation, search