Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0: Difference between revisions
(maybe bug in zmcreateca? doesn't copy ca.pem, ca.key to /opt/zimbra/conf/ca) |
|||
Line 35: | Line 35: | ||
:keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br> | :keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br> | ||
(if you want certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days) | (if you want the certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days) | ||
:zmcreateca<br> | :zmcreateca<br> | ||
(after creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually): | |||
:cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key | |||
:cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | |||
:zmcreatecert<br> | :zmcreatecert<br> | ||
:zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br> | :zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br> |
Revision as of 21:49, 15 November 2006
Self Signed Certificate Instructions
If you're working with a commercial certificate, don't use this page - go here instead
To clean up SSL certificates and recreate a new self-signed cert try this.
it won't hurt to back up what you already have:
- tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
as root:
- rm -rf /opt/zimbra/ssl
- mkdir /opt/zimbra/ssl
- chown zimbra:zimbra /opt/zimbra/ssl
- LINUX ONLY:
- chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
- chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
(on mac os x, this file is owned by root so you'll get "permission denied" if you don't import as root:)
- keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
(on linux: )
- su - zimbra
- keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
(back to everybody:)
su - zimbra
- keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
(if you want the certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)
- zmcreateca
(after creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually):
- cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
- cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
- zmcreatecert
- zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
- zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
It may be necessary to restart the Zimbra servers for the changes to take effect.
- su - zimbra
- zmcontrol stop
- zmcontrol start
unable to write random state
This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.