Difference between revisions of "Self-Signed-CA-SSL-CRT"

(self signed CA and certificate installation)
 
 
(9 intermediate revisions by one other user not shown)
Line 1: Line 1:
Below are the example steps to create self signed SSL certificate with CA valid for 10 years in a multi-server setup.
+
{{Unsupported}}== Self signed SSL certificates with CA valid for 10 years in a multi-server setup. ==
  
Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user)and search for "validation_days", then modify the default value as per your requirement, then save and exit.
+
'''While deploying self signed SSL CA/certificates in a multi-server setup, please make sure that your localconfig on all servers allows untrusted certificates (untrusted means self signed)'''
  
[root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr  
+
'''You can verify the same using below example commands.'''
[root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days
+
 
validation_days=3660
+
[zimbra@v01 ~]$ zmlocalconfig |egrep "ssl_allow_accept_untrusted_certs|ssl_allow_untrusted_certs"
     -days ${validation_days} \
+
ssl_allow_accept_untrusted_certs = true
 +
ssl_allow_untrusted_certs = true
 +
[zimbra@v01 ~]$
 +
 
 +
'''If the untrsuted certs are not allowed, then please allow them using below commands.'''
 +
 
 +
'''Run on all zimbra servers:'''
 +
 
 +
su - zimbra
 +
zmlocalconfig -e ssl_allow_accept_untrusted_certs=true
 +
zmlocalconfig -e ssl_allow_untrusted_certs=true
 +
 
 +
'''Take backup of "/opt/zimbra/bin/zmcertmgr" file.'''
 +
 
 +
cp /opt/zimbra/bin/zmcertmgr /var/tmp/
 +
 
 +
'''Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user) and search for "validation_days", then modify the default value as per your requirement, then save and exit.'''
 +
 
 +
  [root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr  
 +
  [root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days  
 +
  validation_days=3660  
 +
     -days ${validation_days}  
 
     validation_days=$1
 
     validation_days=$1
 
     echo "Validation days: $validation_days"
 
     echo "Validation days: $validation_days"
     -days ${validation_days} \
+
     -days ${validation_days}  
   #  -days ${validation_days} -CAserial ${zimbra_ca_srl} \
+
   #  -days ${validation_days} -CAserial ${zimbra_ca_srl}  
 
   echo "-  Default <validation_days> is 365. "
 
   echo "-  Default <validation_days> is 365. "
[root@v01 ~]#
+
  [root@v01 ~]#  
  
Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.
 
  
[root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
+
'''Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.'''
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com"
 
** Creating directory /opt/zimbra/ssl/zimbra
 
** Creating directory /opt/zimbra/ssl/zimbra/ca
 
** Creating directory /opt/zimbra/ssl/zimbra/server
 
** Creating directory /opt/zimbra/ssl/zimbra/commercial
 
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
 
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
 
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
 
[root@v01 ~]#
 
  
Deploy CA locally
+
  [root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
 +
  [root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New-Y  ork/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com"
 +
** Creating directory /opt/zimbra/ssl/zimbra
 +
** Creating directory /opt/zimbra/ssl/zimbra/ca
 +
** Creating directory /opt/zimbra/ssl/zimbra/server
 +
** Creating directory /opt/zimbra/ssl/zimbra/commercial
 +
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
 +
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
 +
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
 +
[root@v01 ~]#
  
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally
 
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
 
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
 
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
 
** Copying CA to /opt/zimbra/conf/ca...done.
 
[root@v01 ~]#
 
  
Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).
+
'''Deploy CA locally'''
  
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com"
+
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally
Validation days: 3660
+
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Creating /opt/zimbra/conf/zmssl.cnf...done
+
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428
+
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Generating a server csr for download self -new -keysize 2048
+
** Copying CA to /opt/zimbra/conf/ca...done.
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428
+
[root@v01 ~]#  
** Retrieving Commercial CA cert from ldap...done.
 
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 
** Saving server config key zimbraSSLPrivateKey...done.
 
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 
[root@v01 ~]#
 
  
We can remove the regular empty file created during self signed SSL certificate generation.
 
  
[root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
+
'''Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).'''
rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y
 
[root@v01 ~]#
 
  
Deploy self signed SSL certificate that we have generated for 3660 days.
+
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject    "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames  "v01.vinay.com,v01store1.vinay.com"
 +
Validation days: 3660
 +
** Creating /opt/zimbra/conf/zmssl.cnf...done
 +
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428
 +
** Generating a server csr for download self -new -keysize 2048
 +
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428
 +
** Retrieving Commercial CA cert from ldap...done.
 +
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 +
** Saving server config key zimbraSSLPrivateKey...done.
 +
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 +
[root@v01 ~]#
  
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
 
** Saving server config key zimbraSSLCertificate...done.
 
** Saving server config key zimbraSSLPrivateKey...done.
 
** Installing mta certificate and key...done.
 
** Installing slapd certificate and key...done.
 
** Installing proxy certificate and key...done.
 
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
 
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
 
** Installing CA to /opt/zimbra/conf/ca...done.
 
[root@v01 ~]#
 
  
We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.
+
'''We can remove the regular empty file created during self signed SSL certificate generation.'''
  
[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
+
  [root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
Host v01.vinay.com
+
  rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y
Stopping zmconfigd...Done.
+
  [root@v01 ~]#  
Stopping stats...Done.
 
Stopping mta...Done.
 
Stopping spell...Done.
 
Stopping snmp...Done.
 
Stopping cbpolicyd...Done.
 
Stopping archiving...Done.
 
Stopping antivirus...Done.
 
Stopping antispam...Done.
 
Stopping imapproxy...Done.
 
Stopping memcached...Done.
 
Stopping mailbox...Done.
 
Stopping convertd...Done.
 
Stopping logger...Done.
 
Stopping ldap...Done.
 
Host v01.vinay.com
 
Starting ldap...Done.
 
Starting zmconfigd...Done.
 
Starting logger...Done.
 
Starting convertd...Done.
 
Starting mailbox...Done.
 
Starting memcached...Done.
 
Starting imapproxy...Done.
 
Starting antispam...Done.
 
Starting antivirus...Done.
 
Starting archiving...Done.
 
Starting snmp...Done.
 
Starting spell...Done.
 
Starting mta...Done.
 
Starting stats...Done.
 
[root@v01 ~]#  
 
  
Now verify the certificate status.
 
  
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
+
'''Deploy self signed SSL certificate that we have generated for 3660 days.'''
::service mta::
 
notBefore=Feb 14 11:04:37 2012 GMT
 
notAfter=Feb 21 11:04:37 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 
::service proxy::
 
notBefore=Feb 14 11:04:37 2012 GMT
 
notAfter=Feb 21 11:04:37 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 
::service mailboxd::
 
notBefore=Feb 14 11:04:37 2012 GMT
 
notAfter=Feb 21 11:04:37 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 
::service ldap::
 
notBefore=Feb 14 11:04:37 2012 GMT
 
notAfter=Feb 21 11:04:37 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 
[root@v01 ~]#
 
  
 +
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
 +
** Saving server config key zimbraSSLCertificate...done.
 +
** Saving server config key zimbraSSLPrivateKey...done.
 +
** Installing mta certificate and key...done.
 +
** Installing slapd certificate and key...done.
 +
** Installing proxy certificate and key...done.
 +
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
 +
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
 +
** Installing CA to /opt/zimbra/conf/ca...done.
 +
[root@v01 ~]#
  
We can verify the CA status using below commands.
 
  
[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
+
'''We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.'''
Certificate:
+
 
 +
[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
 +
Host v01.vinay.com
 +
Stopping zmconfigd...Done.
 +
Stopping stats...Done.
 +
Stopping mta...Done.
 +
Stopping spell...Done.
 +
Stopping snmp...Done.
 +
Stopping cbpolicyd...Done.
 +
Stopping archiving...Done.
 +
Stopping antivirus...Done.
 +
Stopping antispam...Done.
 +
Stopping imapproxy...Done.
 +
Stopping memcached...Done.
 +
Stopping mailbox...Done.
 +
Stopping convertd...Done.
 +
Stopping logger...Done.
 +
Stopping ldap...Done.
 +
Host v01.vinay.com
 +
Starting ldap...Done.
 +
Starting zmconfigd...Done.
 +
Starting logger...Done.
 +
Starting convertd...Done.
 +
Starting mailbox...Done.
 +
Starting memcached...Done.
 +
Starting imapproxy...Done.
 +
Starting antispam...Done.
 +
Starting antivirus...Done.
 +
Starting archiving...Done.
 +
Starting snmp...Done.
 +
Starting spell...Done.
 +
Starting mta...Done.
 +
Starting stats...Done.
 +
[root@v01 ~]#
 +
 
 +
 
 +
'''Now verify the certificate status.'''
 +
 
 +
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
 +
::service mta::
 +
notBefore=Feb 14 11:04:37 2012 GMT
 +
notAfter=Feb 21 11:04:37 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 +
::service proxy::
 +
notBefore=Feb 14 11:04:37 2012 GMT
 +
notAfter=Feb 21 11:04:37 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 +
::service mailboxd::
 +
notBefore=Feb 14 11:04:37 2012 GMT
 +
notAfter=Feb 21 11:04:37 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 +
::service ldap::
 +
notBefore=Feb 14 11:04:37 2012 GMT
 +
notAfter=Feb 21 11:04:37 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01.vinay.com, v01store1.vinay.com
 +
[root@v01 ~]#
 +
 
 +
 
 +
 
 +
'''We can verify the CA status using below commands.'''
 +
 
 +
[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
 +
Certificate:
 
     Data:
 
     Data:
 
         Version: 1 (0x0)
 
         Version: 1 (0x0)
Line 154: Line 183:
 
                                     Exponent: 65537 (0x10001)
 
                                     Exponent: 65537 (0x10001)
 
     Signature Algorithm: sha1WithRSAEncryption
 
     Signature Algorithm: sha1WithRSAEncryption
[root@v01 ~]#  
+
[root@v01 ~]#  
 +
 
 +
 
 
    
 
    
Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.
+
'''Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.'''
  
[root@v01store1 ~]# rm -rf /opt/zimbra/ssl/zimbra/ca/* ;  rm -rf /opt/zimbra/ssl/zimbra/server/*
+
[root@v01store1 ~]# rm -rf /opt/zimbra/ssl/zimbra/ca/* ;  rm -rf /opt/zimbra/ssl/zimbra/server/*
[root@v01store1 ~]# scp -r root@10.112.233.171://opt/zimbra/ssl/zimbra/ca/* /opt/zimbra/ssl/zimbra/ca/
+
[root@v01store1 ~]# scp -r root@10.112.233.171://opt/zimbra/ssl/zimbra/ca/*   /opt/zimbra/ssl/zimbra/ca/
root@10.112.233.171's password:  
+
root@10.112.233.171's password:  
ca.csr                                                                                                                                                                 100% 1082    1.1KB/s  00:00     
+
ca.csr                                                                                                                                                                   100% 1082    1.1KB/s  00:00     
ca.key                                                                                                                                                                 100% 1708    1.7KB/s  00:00     
+
ca.key                                                                                                                                                                   100% 1708    1.7KB/s  00:00     
ca.pem                                                                                                                                                                 100% 1265    1.2KB/s  00:00     
+
ca.pem                                                                                                                                                                   100% 1265    1.2KB/s  00:00     
ca.srl                                                                                                                                                                  100%  11    0.0KB/s  00:00     
+
ca.srl                                                                                                                                                                  100%  11    0.0KB/s  00:00     
ca.srl.old                                                                                                                                                             100%  11    0.0KB/s  00:00     
+
ca.srl.old                                                                                                                                                               100%  11    0.0KB/s  00:00     
index.txt                                                                                                                                                               100%  101    0.1KB/s  00:00     
+
index.txt                                                                                                                                                               100%  101    0.1KB/s  00:00     
index.txt.attr                                                                                                                                                         100%  21    0.0KB/s  00:00     
+
index.txt.attr                                                                                                                                                           100%  21    0.0KB/s  00:00     
index.txt.old                                                                                                                                                          100%    0    0.0KB/s  00:00     
+
index.txt.old                                                                                                                                                          100%    0    0.0KB/s  00:00     
1329217468.pem                                                                                                                                                          100% 1326    1.3KB/s  00:00     
+
1329217468.pem                                                                                                                                                          100% 1326    1.3KB/s  00:00     
zmssl.cnf                                                                                                                                                              100% 7702    7.5KB/s  00:00     
+
zmssl.cnf                                                                                                                                                              100% 7702    7.5KB/s  00:00     
[root@v01store1 ~]#  
+
[root@v01store1 ~]#  
  
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca
+
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
+
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Copying CA to /opt/zimbra/conf/ca...done.
+
** Copying CA to /opt/zimbra/conf/ca...done.
[root@v01store1 ~]#  
+
[root@v01store1 ~]#  
  
Create certificate/deploy certificate
 
  
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com"
+
'''Create certificate/deploy certificate'''
Validation days: 3660
 
** Creating /opt/zimbra/conf/zmssl.cnf...done
 
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721
 
** Generating a server csr for download self -new -keysize 2048
 
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721
 
** Retrieving Commercial CA cert from ldap...done.
 
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 
** Saving server config key zimbraSSLPrivateKey...done.
 
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 
[root@v01store1 ~]#
 
  
[root@v01store1 ~]# rm /opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt
+
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject  "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames  "v01.vinay.com,v01store1.vinay.com"
rm: remove regular empty file `/opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt'? y
+
Validation days: 3660
[root@v01store1 ~]#  
+
** Creating /opt/zimbra/conf/zmssl.cnf...done
 +
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721
 +
** Generating a server csr for download self -new -keysize 2048
 +
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721
 +
** Retrieving Commercial CA cert from ldap...done.
 +
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 +
** Saving server config key zimbraSSLPrivateKey...done.
 +
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
 +
[root@v01store1 ~]#  
  
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
+
[root@v01store1 ~]# rm /opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt
** Saving server config key zimbraSSLCertificate...done.
+
rm: remove regular empty file `/opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt'? y
** Saving server config key zimbraSSLPrivateKey...done.
+
[root@v01store1 ~]#  
** Installing mta certificate and key...done.
 
** Installing slapd certificate and key...done.
 
** Installing proxy certificate and key...done.
 
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
 
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
 
** Installing CA to /opt/zimbra/conf/ca...done.
 
[root@v01store1 ~]#  
 
  
restart zimbra services for the new certificate and CA to take effect.
 
  
[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
+
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
Host v01store1.vinay.com
+
** Saving server config key zimbraSSLCertificate...done.
Stopping zmconfigd...Done.
+
** Saving server config key zimbraSSLPrivateKey...done.
Stopping stats...Done.
+
** Installing mta certificate and key...done.
Stopping spell...Done.
+
** Installing slapd certificate and key...done.
Stopping snmp...Done.
+
** Installing proxy certificate and key...done.
Stopping cbpolicyd...Done.
+
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
Stopping archiving...Done.
+
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
Stopping antivirus...Done.
+
** Installing CA to /opt/zimbra/conf/ca...done.
Stopping antispam...Done.
+
[root@v01store1 ~]#  
Stopping imapproxy...Done.
 
Stopping memcached...Done.
 
Stopping mailbox...Done.
 
Stopping convertd...Done.
 
Stopping logger...Done.
 
Host v01store1.vinay.com
 
Starting zmconfigd...Done.
 
Starting logger...Done.
 
Starting convertd...Done.
 
Starting mailbox...Done.
 
Starting snmp...Done.
 
Starting spell...Done.
 
Starting stats...Done.
 
[root@v01store1 ~]#  
 
  
Verify certificate status
 
  
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
+
'''Restart zimbra services for the new certificate and CA to take effect.'''
::service mta::
 
notBefore=Feb 14 11:57:30 2012 GMT
 
notAfter=Feb 21 11:57:30 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 
::service proxy::
 
notBefore=Feb 14 11:57:30 2012 GMT
 
notAfter=Feb 21 11:57:30 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 
::service mailboxd::
 
notBefore=Feb 14 11:57:30 2012 GMT
 
notAfter=Feb 21 11:57:30 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 
::service ldap::
 
notBefore=Feb 14 11:57:30 2012 GMT
 
notAfter=Feb 21 11:57:30 2022 GMT
 
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 
[root@v01store1 ~]#
 
  
verify the CA copied from LDAP master and deployed on store too.
+
[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
 +
Host v01store1.vinay.com
 +
Stopping zmconfigd...Done.
 +
Stopping stats...Done.
 +
Stopping spell...Done.
 +
Stopping snmp...Done.
 +
Stopping cbpolicyd...Done.
 +
Stopping archiving...Done.
 +
Stopping antivirus...Done.
 +
Stopping antispam...Done.
 +
Stopping imapproxy...Done.
 +
Stopping memcached...Done.
 +
Stopping mailbox...Done.
 +
Stopping convertd...Done.
 +
Stopping logger...Done.
 +
Host v01store1.vinay.com
 +
Starting zmconfigd...Done.
 +
Starting logger...Done.
 +
Starting convertd...Done.
 +
Starting mailbox...Done.
 +
Starting snmp...Done.
 +
Starting spell...Done.
 +
Starting stats...Done.
 +
[root@v01store1 ~]#
  
[root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
+
 
Certificate:
+
'''Verify certificate status'''
 +
 
 +
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
 +
::service mta::
 +
notBefore=Feb 14 11:57:30 2012 GMT
 +
notAfter=Feb 21 11:57:30 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 +
::service proxy::
 +
notBefore=Feb 14 11:57:30 2012 GMT
 +
notAfter=Feb 21 11:57:30 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 +
::service mailboxd::
 +
notBefore=Feb 14 11:57:30 2012 GMT
 +
notAfter=Feb 21 11:57:30 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 +
::service ldap::
 +
notBefore=Feb 14 11:57:30 2012 GMT
 +
notAfter=Feb 21 11:57:30 2022 GMT
 +
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
 +
SubjectAltName= v01store1.vinay.com, v01.vinay.com
 +
[root@v01store1 ~]#
 +
 
 +
 
 +
'''Verify the CA copied from LDAP master which is deployed on store.'''
 +
 
 +
[root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
 +
Certificate:
 
     Data:
 
     Data:
 
         Version: 1 (0x0)
 
         Version: 1 (0x0)
Line 283: Line 319:
 
     Signature Algorithm: sha1WithRSAEncryption
 
     Signature Algorithm: sha1WithRSAEncryption
 
       [root@v01store1 ~]#
 
       [root@v01store1 ~]#
 +
 +
 +
'''Make sure that your self signed SSL CA & relevant SSL certitifate are matching the same time stamp.'''
 +
 +
'''You can verify the same using below commands.'''
 +
 +
'''Run on your LDAP Server as root user.'''
 +
 +
openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
 +
openssl x509 -text -noout -in /opt/zimbra/conf/slapd.crt |grep -A 2 Validity
 +
 +
'''Run on Proxy Server if any in your setup as root user.'''
 +
 +
openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
 +
openssl x509 -text -noout -in /opt/zimbra/conf/nginx.crt |grep -A 2 Validity
 +
 +
'''Run on Mail Store Server as root user.'''
 +
 +
openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
 +
openssl x509 -text -noout -in /opt/zimbra/mailboxd/etc/mailboxd.pem |grep -A 2 Validity
 +
 +
'''Run on MTA Server as root user.'''
 +
 +
openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
 +
openssl x509 -text -noout -in /opt/zimbra/conf/smtpd.crt |grep -A 2 Validity

Latest revision as of 14:56, 30 March 2015

Self signed SSL certificates with CA valid for 10 years in a multi-server setup.

While deploying self signed SSL CA/certificates in a multi-server setup, please make sure that your localconfig on all servers allows untrusted certificates (untrusted means self signed)

You can verify the same using below example commands.

[zimbra@v01 ~]$ zmlocalconfig |egrep "ssl_allow_accept_untrusted_certs|ssl_allow_untrusted_certs"
ssl_allow_accept_untrusted_certs = true
ssl_allow_untrusted_certs = true
[zimbra@v01 ~]$ 

If the untrsuted certs are not allowed, then please allow them using below commands.

Run on all zimbra servers:

su - zimbra
zmlocalconfig -e ssl_allow_accept_untrusted_certs=true
zmlocalconfig -e ssl_allow_untrusted_certs=true

Take backup of "/opt/zimbra/bin/zmcertmgr" file.

cp /opt/zimbra/bin/zmcertmgr /var/tmp/

Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user) and search for "validation_days", then modify the default value as per your requirement, then save and exit.

 [root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr 
 [root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days 
 validation_days=3660 
   -days ${validation_days} 
   validation_days=$1
   echo "Validation days: $validation_days"
   -days ${validation_days} 
 #  -days ${validation_days} -CAserial ${zimbra_ca_srl} 
 echo "-  Default <validation_days> is 365. "
 [root@v01 ~]# 


Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.

 [root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
 [root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New-Y   ork/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com"
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@v01 ~]# 


Deploy CA locally

[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@v01 ~]# 


Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).

[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject    "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames   "v01.vinay.com,v01store1.vinay.com"
Validation days: 3660
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 
** Generating a server csr for download self -new -keysize 2048
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 
** Retrieving Commercial CA cert from ldap...done.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@v01 ~]#


We can remove the regular empty file created during self signed SSL certificate generation.

 [root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
 rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y
 [root@v01 ~]# 


Deploy self signed SSL certificate that we have generated for 3660 days.

[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@v01 ~]# 


We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.

[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
Host v01.vinay.com
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Stopping ldap...Done.
Host v01.vinay.com
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting convertd...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting imapproxy...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting archiving...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
[root@v01 ~]# 


Now verify the certificate status.

[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Feb 14 11:04:37 2012 GMT
notAfter=Feb 21 11:04:37 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01.vinay.com, v01store1.vinay.com
::service proxy::
notBefore=Feb 14 11:04:37 2012 GMT
notAfter=Feb 21 11:04:37 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01.vinay.com, v01store1.vinay.com
::service mailboxd::
notBefore=Feb 14 11:04:37 2012 GMT
notAfter=Feb 21 11:04:37 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01.vinay.com, v01store1.vinay.com
::service ldap::
notBefore=Feb 14 11:04:37 2012 GMT
notAfter=Feb 21 11:04:37 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01.vinay.com, v01store1.vinay.com
[root@v01 ~]# 


We can verify the CA status using below commands.

[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number:
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com
       Validity
           Not Before: Feb 14 11:03:00 2012 GMT
           Not After : Feb 21 11:03:00 2022 GMT
       Subject: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (2048 bit)
               Modulus (2048 bit):
                                   Exponent: 65537 (0x10001)
   Signature Algorithm: sha1WithRSAEncryption
[root@v01 ~]# 


Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.

[root@v01store1 ~]# rm -rf /opt/zimbra/ssl/zimbra/ca/* ;  rm -rf /opt/zimbra/ssl/zimbra/server/*
[root@v01store1 ~]# scp -r root@10.112.233.171://opt/zimbra/ssl/zimbra/ca/*   /opt/zimbra/ssl/zimbra/ca/
root@10.112.233.171's password: 
ca.csr                                                                                                                                                                    100% 1082     1.1KB/s   00:00    
ca.key                                                                                                                                                                   100% 1708     1.7KB/s   00:00    
ca.pem                                                                                                                                                                    100% 1265     1.2KB/s   00:00    
ca.srl                                                                                                                                                                  100%   11     0.0KB/s   00:00    
ca.srl.old                                                                                                                                                               100%   11     0.0KB/s   00:00    
index.txt                                                                                                                                                                100%  101     0.1KB/s   00:00    
index.txt.attr                                                                                                                                                           100%   21     0.0KB/s   00:00    
index.txt.old                                                                                                                                                           100%    0     0.0KB/s   00:00    
1329217468.pem                                                                                                                                                          100% 1326     1.3KB/s   00:00    
zmssl.cnf                                                                                                                                                               100% 7702     7.5KB/s   00:00    
[root@v01store1 ~]# 
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@v01store1 ~]# 


Create certificate/deploy certificate

[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject   "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames  "v01.vinay.com,v01store1.vinay.com"
Validation days: 3660
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 
** Generating a server csr for download self -new -keysize 2048
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 
** Retrieving Commercial CA cert from ldap...done.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@v01store1 ~]# 
[root@v01store1 ~]# rm /opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt 
rm: remove regular empty file `/opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt'? y
[root@v01store1 ~]# 


[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@v01store1 ~]# 


Restart zimbra services for the new certificate and CA to take effect.

[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start"
Host v01store1.vinay.com
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Host v01store1.vinay.com
Starting zmconfigd...Done.
Starting logger...Done.
Starting convertd...Done.
Starting mailbox...Done.
Starting snmp...Done.
Starting spell...Done.
Starting stats...Done.
[root@v01store1 ~]# 


Verify certificate status

[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Feb 14 11:57:30 2012 GMT
notAfter=Feb 21 11:57:30 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01store1.vinay.com, v01.vinay.com
::service proxy::
notBefore=Feb 14 11:57:30 2012 GMT
notAfter=Feb 21 11:57:30 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01store1.vinay.com, v01.vinay.com
::service mailboxd::
notBefore=Feb 14 11:57:30 2012 GMT
notAfter=Feb 21 11:57:30 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01store1.vinay.com, v01.vinay.com
::service ldap::
notBefore=Feb 14 11:57:30 2012 GMT
notAfter=Feb 21 11:57:30 2022 GMT
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com
SubjectAltName= v01store1.vinay.com, v01.vinay.com
[root@v01store1 ~]# 


Verify the CA copied from LDAP master which is deployed on store.

[root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem
Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number:
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com
       Validity
           Not Before: Feb 14 11:03:00 2012 GMT
           Not After : Feb 21 11:03:00 2022 GMT
       Subject: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (2048 bit)
               Modulus (2048 bit):
                                   Exponent: 65537 (0x10001)
   Signature Algorithm: sha1WithRSAEncryption
      [root@v01store1 ~]#


Make sure that your self signed SSL CA & relevant SSL certitifate are matching the same time stamp.

You can verify the same using below commands.

Run on your LDAP Server as root user.

openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
openssl x509 -text -noout -in /opt/zimbra/conf/slapd.crt |grep -A 2 Validity

Run on Proxy Server if any in your setup as root user.

openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
openssl x509 -text -noout -in /opt/zimbra/conf/nginx.crt |grep -A 2 Validity

Run on Mail Store Server as root user.

openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
openssl x509 -text -noout -in /opt/zimbra/mailboxd/etc/mailboxd.pem |grep -A 2 Validity

Run on MTA Server as root user.

openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem |grep -A 2 Validity
openssl x509 -text -noout -in /opt/zimbra/conf/smtpd.crt |grep -A 2 Validity
Jump to: navigation, search