Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Self Signed Certificate Instructions

If you're working with a commercial certificate, don't use this page - go here instead

To clean up SSL certificates and recreate a new self-signed cert try this.

it won't hurt to back up what you already have:

tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/

as root:

rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
LINUX ONLY:
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts

(on mac os x, this file is owned by root so you'll get "permission denied" if you don't import as root:)

keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit

(on linux: )

su - zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit


(back to everybody:)

su - zimbra

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

(if you want certificate to last longer than 365 days, edit /opt/zimbra/conf/zmssl.cnf.in and change value for default_days)

zmcreateca
zmcreatecert
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key

It may be necessary to restart the Zimbra servers for the changes to take effect.

su - zimbra
zmcontrol stop
zmcontrol start

unable to write random state

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Jump to: navigation, search