Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0

Revision as of 04:22, 21 November 2006 by Jdell (talk | contribs) (added note about what you should see in output and clarified optional setting)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Self Signed Certificate Instructions

If you're working with a commercial certificate, do *NOT* use this page - go here instead

  • To clean up SSL certificates and recreate a new self-signed cert try this.
  • First though, it won't hurt to back up what you already have:
tar -cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • (EVERYBODY) Delete and re-create SSL Directory (as root):
su -
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
  • (LINUX ONLY) Additional Steps:
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
  • (EVERYBODY) Delete CA
(Mac OS X ONLY) The file is owned by root so you'll get "permission denied" if you don't import as root:
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit
(LINUX ONLY) su - zimbra keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  • (EVERYBODY) Delete Tomcat cert (as zimbra):
su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
  • (OPTIONAL) If you want the certificate to last longer than 365 days (as zimbra)
vi /opt/zimbra/conf/zmssl.cnf.in
[change value for default_days as appropriate]

Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert: Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228

  • (OPTIONAL) If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.
vi /opt/zimbra/conf/zmssl.cnf.in
[change section to appear as below]
0.organizationName              = Zimbra
0.organizationName_default      = Zimbra
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Zimbra
organizationalUnitName_default  = Zimbra
commonName                      = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
commonName_max                  = 64
commonName_default              = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
  • Now create the CA (as zimbra)
zmcreateca
  • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
...
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
Getting Private key
unable to write 'random state'
  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
  • Now create the Cert (as zimbra)
zmcreatecert
  • Now install the Cert and Key (as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
  • I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):
cat /opt/zimbra/ssl/ssl/ca/ca.key
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END RSA PRIVATE KEY-----"
cat /opt/zimbra/ssl/ssl/ca/ca.pem
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE-----
[paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI]
-----END TRUSTED CERTIFICATE-----"

  • You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)
zmprov gcf zimbraCertAuthorityKeySelfSigned 
zmprov gcf zimbraCertAuthorityCertSelfSigned 
  • It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).
zmcontrol stop
zmcontrol start

Note about 'unable to write random state'

This is a "harmless" warning that openssl has no random number seed file. The full story is available from openssl.org.

Jump to: navigation, search