Self-Signed-CA-SSL-CRT: Difference between revisions
(1.2) |
(final) |
||
Line 1: | Line 1: | ||
== Self signed SSL certificates with CA valid for 10 years in a multi-server setup. == | == Self signed SSL certificates with CA valid for 10 years in a multi-server setup. == | ||
'''Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user) and search for "validation_days", then modify the default value as per your requirement, then save and exit.''' | '''Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user) and search for "validation_days", then modify the default value as per your requirement, then save and exit.''' | ||
[root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr | |||
[root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr | [root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days | ||
[root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days | validation_days=3660 | ||
validation_days=3660 | |||
-days ${validation_days} | -days ${validation_days} | ||
validation_days=$1 | validation_days=$1 | ||
Line 14: | Line 12: | ||
# -days ${validation_days} -CAserial ${zimbra_ca_srl} | # -days ${validation_days} -CAserial ${zimbra_ca_srl} | ||
echo "- Default <validation_days> is 365. " | echo "- Default <validation_days> is 365. " | ||
[root@v01 ~]# | [root@v01 ~]# | ||
'''Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.''' | '''Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.''' | ||
[root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old | |||
[root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old | [root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New-Y ork/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" | ||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New- | ** Creating directory /opt/zimbra/ssl/zimbra | ||
** Creating directory /opt/zimbra/ssl/zimbra | ** Creating directory /opt/zimbra/ssl/zimbra/ca | ||
** Creating directory /opt/zimbra/ssl/zimbra/ca | ** Creating directory /opt/zimbra/ssl/zimbra/server | ||
** Creating directory /opt/zimbra/ssl/zimbra/server | ** Creating directory /opt/zimbra/ssl/zimbra/commercial | ||
** Creating directory /opt/zimbra/ssl/zimbra/commercial | ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done | ||
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done | ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done. | ||
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done. | ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done. | ||
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done. | [root@v01 ~]# | ||
[root@v01 ~]# | |||
'''Deploy CA locally''' | '''Deploy CA locally''' | ||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally | |||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally | ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. | ||
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. | ** Saving global config key zimbraCertAuthorityCertSelfSigned...done. | ||
** Saving global config key zimbraCertAuthorityCertSelfSigned...done. | ** Saving global config key zimbraCertAuthorityKeySelfSigned...done. | ||
** Saving global config key zimbraCertAuthorityKeySelfSigned...done. | ** Copying CA to /opt/zimbra/conf/ca...done. | ||
** Copying CA to /opt/zimbra/conf/ca...done. | [root@v01 ~]# | ||
[root@v01 ~]# | |||
'''Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).''' | '''Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).''' | ||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com" | |||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com" | Validation days: 3660 | ||
Validation days: 3660 | ** Creating /opt/zimbra/conf/zmssl.cnf...done | ||
** Creating /opt/zimbra/conf/zmssl.cnf...done | ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 | ||
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 | ** Generating a server csr for download self -new -keysize 2048 | ||
** Generating a server csr for download self -new -keysize 2048 | ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 | ||
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 | ** Retrieving Commercial CA cert from ldap...done. | ||
** Retrieving Commercial CA cert from ldap...done. | ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | ||
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | ** Saving server config key zimbraSSLPrivateKey...done. | ||
** Saving server config key zimbraSSLPrivateKey...done. | ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | ||
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | [root@v01 ~]# | ||
[root@v01 ~]# | |||
'''We can remove the regular empty file created during self signed SSL certificate generation.''' | '''We can remove the regular empty file created during self signed SSL certificate generation.''' | ||
[root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt | |||
[root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt | rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y | ||
rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y | [root@v01 ~]# | ||
[root@v01 ~]# | |||
'''Deploy self signed SSL certificate that we have generated for 3660 days.''' | '''Deploy self signed SSL certificate that we have generated for 3660 days.''' | ||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self | |||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self | ** Saving server config key zimbraSSLCertificate...done. | ||
** Saving server config key zimbraSSLCertificate...done. | ** Saving server config key zimbraSSLPrivateKey...done. | ||
** Saving server config key zimbraSSLPrivateKey...done. | ** Installing mta certificate and key...done. | ||
** Installing mta certificate and key...done. | ** Installing slapd certificate and key...done. | ||
** Installing slapd certificate and key...done. | ** Installing proxy certificate and key...done. | ||
** Installing proxy certificate and key...done. | ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. | ||
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. | ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. | ||
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. | ** Installing CA to /opt/zimbra/conf/ca...done. | ||
** Installing CA to /opt/zimbra/conf/ca...done. | [root@v01 ~]# | ||
[root@v01 ~]# | |||
'''We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.''' | '''We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.''' | ||
[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" | |||
[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" | Host v01.vinay.com | ||
Host v01.vinay.com | Stopping zmconfigd...Done. | ||
Stopping stats...Done. | |||
Stopping mta...Done. | |||
Stopping spell...Done. | |||
Stopping snmp...Done. | |||
Stopping cbpolicyd...Done. | |||
Stopping archiving...Done. | |||
Stopping antivirus...Done. | |||
Stopping antispam...Done. | |||
Stopping imapproxy...Done. | |||
Stopping memcached...Done. | |||
Stopping mailbox...Done. | |||
Stopping convertd...Done. | |||
Stopping logger...Done. | |||
Stopping ldap...Done. | |||
Host v01.vinay.com | |||
Host v01.vinay.com | Starting ldap...Done. | ||
Starting zmconfigd...Done. | |||
Starting logger...Done. | |||
Starting convertd...Done. | |||
Starting mailbox...Done. | |||
Starting memcached...Done. | |||
Starting imapproxy...Done. | |||
Starting antispam...Done. | |||
Starting antivirus...Done. | |||
Starting archiving...Done. | |||
Starting snmp...Done. | |||
Starting spell...Done. | |||
Starting mta...Done. | |||
Starting stats...Done. | |||
[root@v01 ~]# | |||
[root@v01 ~]# | |||
'''Now verify the certificate status.''' | '''Now verify the certificate status.''' | ||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt | |||
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt | ::service mta:: | ||
::service mta:: | notBefore=Feb 14 11:04:37 2012 GMT | ||
notBefore=Feb 14 11:04:37 2012 GMT | notAfter=Feb 21 11:04:37 2022 GMT | ||
notAfter=Feb 21 11:04:37 2022 GMT | subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | SubjectAltName= v01.vinay.com, v01store1.vinay.com | ||
SubjectAltName= v01.vinay.com, v01store1.vinay.com | ::service proxy:: | ||
::service proxy:: | notBefore=Feb 14 11:04:37 2012 GMT | ||
notBefore=Feb 14 11:04:37 2012 GMT | notAfter=Feb 21 11:04:37 2022 GMT | ||
notAfter=Feb 21 11:04:37 2022 GMT | subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | SubjectAltName= v01.vinay.com, v01store1.vinay.com | ||
SubjectAltName= v01.vinay.com, v01store1.vinay.com | ::service mailboxd:: | ||
::service mailboxd:: | notBefore=Feb 14 11:04:37 2012 GMT | ||
notBefore=Feb 14 11:04:37 2012 GMT | notAfter=Feb 21 11:04:37 2022 GMT | ||
notAfter=Feb 21 11:04:37 2022 GMT | subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | SubjectAltName= v01.vinay.com, v01store1.vinay.com | ||
SubjectAltName= v01.vinay.com, v01store1.vinay.com | ::service ldap:: | ||
::service ldap:: | notBefore=Feb 14 11:04:37 2012 GMT | ||
notBefore=Feb 14 11:04:37 2012 GMT | notAfter=Feb 21 11:04:37 2022 GMT | ||
notAfter=Feb 21 11:04:37 2022 GMT | subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | ||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | SubjectAltName= v01.vinay.com, v01store1.vinay.com | ||
SubjectAltName= v01.vinay.com, v01store1.vinay.com | [root@v01 ~]# | ||
[root@v01 ~]# | |||
Line 154: | Line 145: | ||
'''We can verify the CA status using below commands.''' | '''We can verify the CA status using below commands.''' | ||
[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem | |||
[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem | Certificate: | ||
Certificate: | |||
Data: | Data: | ||
Version: 1 (0x0) | Version: 1 (0x0) | ||
Line 172: | Line 162: | ||
Exponent: 65537 (0x10001) | Exponent: 65537 (0x10001) | ||
Signature Algorithm: sha1WithRSAEncryption | Signature Algorithm: sha1WithRSAEncryption | ||
[root@v01 ~]# | [root@v01 ~]# | ||
Line 178: | Line 168: | ||
'''Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.''' | '''Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.''' | ||
[root@v01store1 ~]# rm -rf /opt/zimbra/ssl/zimbra/ca/* ; rm -rf /opt/zimbra/ssl/zimbra/server/* | |||
[root@v01store1 ~]# scp -r root@10.112.233.171://opt/zimbra/ssl/zimbra/ca/* /opt/zimbra/ssl/zimbra/ca/ | |||
root@10.112.233.171's password: | |||
ca.csr 100% 1082 1.1KB/s 00:00 | |||
ca.key 100% 1708 1.7KB/s 00:00 | |||
ca.pem 100% 1265 1.2KB/s 00:00 | |||
ca.srl 100% 11 0.0KB/s 00:00 | |||
ca.srl.old 100% 11 0.0KB/s 00:00 | |||
index.txt 100% 101 0.1KB/s 00:00 | |||
index.txt.attr 100% 21 0.0KB/s 00:00 | |||
index.txt.old 100% 0 0.0KB/s 00:00 | |||
1329217468.pem 100% 1326 1.3KB/s 00:00 | |||
zmssl.cnf 100% 7702 7.5KB/s 00:00 | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca | |||
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. | |||
** Copying CA to /opt/zimbra/conf/ca...done. | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca | |||
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. | |||
** Copying CA to /opt/zimbra/conf/ca...done. | |||
[root@v01store1 ~]# | |||
'''Create certificate/deploy certificate''' | '''Create certificate/deploy certificate''' | ||
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com" | |||
Validation days: 3660 | |||
** Creating /opt/zimbra/conf/zmssl.cnf...done | |||
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 | |||
** Generating a server csr for download self -new -keysize 2048 | |||
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 | |||
** Retrieving Commercial CA cert from ldap...done. | |||
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | |||
** Saving server config key zimbraSSLPrivateKey...done. | |||
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# | [root@v01store1 ~]# rm /opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt | ||
rm: remove regular empty file `/opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt'? y | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self | |||
** Saving server config key zimbraSSLCertificate...done. | |||
** Saving server config key zimbraSSLPrivateKey...done. | |||
** Installing mta certificate and key...done. | |||
** Installing slapd certificate and key...done. | |||
** Installing proxy certificate and key...done. | |||
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. | |||
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. | |||
** Installing CA to /opt/zimbra/conf/ca...done. | |||
[root@v01store1 ~]# | |||
'''Restart zimbra services for the new certificate and CA to take effect.''' | |||
[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" | |||
Host v01store1.vinay.com | |||
Stopping zmconfigd...Done. | |||
[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" | Stopping stats...Done. | ||
Host v01store1.vinay.com | Stopping spell...Done. | ||
Stopping snmp...Done. | |||
Stopping cbpolicyd...Done. | |||
Stopping archiving...Done. | |||
Stopping antivirus...Done. | |||
Stopping antispam...Done. | |||
Stopping imapproxy...Done. | |||
Stopping memcached...Done. | |||
Stopping mailbox...Done. | |||
Stopping convertd...Done. | |||
Stopping logger...Done. | |||
Host v01store1.vinay.com | |||
Starting zmconfigd...Done. | |||
Starting logger...Done. | |||
Host v01store1.vinay.com | Starting convertd...Done. | ||
Starting mailbox...Done. | |||
Starting snmp...Done. | |||
Starting spell...Done. | |||
Starting stats...Done. | |||
[root@v01store1 ~]# | |||
[root@v01store1 ~]# | |||
'''Verify certificate status''' | '''Verify certificate status''' | ||
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt | |||
::service mta:: | |||
notBefore=Feb 14 11:57:30 2012 GMT | |||
notAfter=Feb 21 11:57:30 2022 GMT | |||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
SubjectAltName= v01store1.vinay.com, v01.vinay.com | |||
::service proxy:: | |||
notBefore=Feb 14 11:57:30 2012 GMT | |||
notAfter=Feb 21 11:57:30 2022 GMT | |||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
SubjectAltName= v01store1.vinay.com, v01.vinay.com | |||
::service mailboxd:: | |||
notBefore=Feb 14 11:57:30 2012 GMT | |||
notAfter=Feb 21 11:57:30 2022 GMT | |||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
SubjectAltName= v01store1.vinay.com, v01.vinay.com | |||
::service ldap:: | |||
notBefore=Feb 14 11:57:30 2012 GMT | |||
notAfter=Feb 21 11:57:30 2022 GMT | |||
subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com | |||
SubjectAltName= v01store1.vinay.com, v01.vinay.com | |||
[root@v01store1 ~]# | |||
'''Verify the CA copied from LDAP master which is deployed on store.''' | |||
[root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem | [root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem | ||
Certificate: | Certificate: | ||
Data: | Data: | ||
Version: 1 (0x0) | Version: 1 (0x0) |
Revision as of 07:16, 11 June 2013
Self signed SSL certificates with CA valid for 10 years in a multi-server setup.
Edit /opt/zimbra/bin/zmcertmgr file on LDAP master server (as root user) and search for "validation_days", then modify the default value as per your requirement, then save and exit.
[root@v01 ~]# nano /opt/zimbra/bin/zmcertmgr [root@v01 ~]# cat /opt/zimbra/bin/zmcertmgr |grep validation_days validation_days=3660 -days ${validation_days} validation_days=$1 echo "Validation days: $validation_days" -days ${validation_days} # -days ${validation_days} -CAserial ${zimbra_ca_srl} echo "- Default <validation_days> is 365. " [root@v01 ~]#
Take the backup of old CA/certs and then create new CA valid for 10 years (3660 days)CA with 2048 key size.
[root@v01 ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old [root@v01 ~]# /opt/zimbra/bin/zmcertmgr createca -new -keysize 2048 -subject "/C=DE/ST=New-Y ork/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" ** Creating directory /opt/zimbra/ssl/zimbra ** Creating directory /opt/zimbra/ssl/zimbra/ca ** Creating directory /opt/zimbra/ssl/zimbra/server ** Creating directory /opt/zimbra/ssl/zimbra/commercial ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done. ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done. [root@v01 ~]#
Deploy CA locally
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deployca -locally ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. ** Saving global config key zimbraCertAuthorityCertSelfSigned...done. ** Saving global config key zimbraCertAuthorityKeySelfSigned...done. ** Copying CA to /opt/zimbra/conf/ca...done. [root@v01 ~]#
Create self signed SSL certificate valid for 10 years (3660 days) with 2048 keysize (we can add more than one subjectAltNames in multi-server setup).
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com" Validation days: 3660 ** Creating /opt/zimbra/conf/zmssl.cnf...done ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 ** Generating a server csr for download self -new -keysize 2048 ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214030428 ** Retrieving Commercial CA cert from ldap...done. ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. [root@v01 ~]#
We can remove the regular empty file created during self signed SSL certificate generation.
[root@v01 ~]# rm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt rm: remove regular empty file `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'? y [root@v01 ~]#
Deploy self signed SSL certificate that we have generated for 3660 days.
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done. [root@v01 ~]#
We need to restart the zimbra services (zmcontrol restart)for the new CA/certificate to take effect.
[root@v01 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" Host v01.vinay.com Stopping zmconfigd...Done. Stopping stats...Done. Stopping mta...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping imapproxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping convertd...Done. Stopping logger...Done. Stopping ldap...Done. Host v01.vinay.com Starting ldap...Done. Starting zmconfigd...Done. Starting logger...Done. Starting convertd...Done. Starting mailbox...Done. Starting memcached...Done. Starting imapproxy...Done. Starting antispam...Done. Starting antivirus...Done. Starting archiving...Done. Starting snmp...Done. Starting spell...Done. Starting mta...Done. Starting stats...Done. [root@v01 ~]#
Now verify the certificate status.
[root@v01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt ::service mta:: notBefore=Feb 14 11:04:37 2012 GMT notAfter=Feb 21 11:04:37 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01.vinay.com, v01store1.vinay.com ::service proxy:: notBefore=Feb 14 11:04:37 2012 GMT notAfter=Feb 21 11:04:37 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01.vinay.com, v01store1.vinay.com ::service mailboxd:: notBefore=Feb 14 11:04:37 2012 GMT notAfter=Feb 21 11:04:37 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01.vinay.com, v01store1.vinay.com ::service ldap:: notBefore=Feb 14 11:04:37 2012 GMT notAfter=Feb 21 11:04:37 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01.vinay.com, v01store1.vinay.com [root@v01 ~]#
We can verify the CA status using below commands.
[root@v01 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem Certificate: Data: Version: 1 (0x0) Serial Number: Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com Validity Not Before: Feb 14 11:03:00 2012 GMT Not After : Feb 21 11:03:00 2022 GMT Subject: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption [root@v01 ~]#
Then we need to copy/paste the CA from LDAP master to all other servers and deploy the same.
[root@v01store1 ~]# rm -rf /opt/zimbra/ssl/zimbra/ca/* ; rm -rf /opt/zimbra/ssl/zimbra/server/* [root@v01store1 ~]# scp -r root@10.112.233.171://opt/zimbra/ssl/zimbra/ca/* /opt/zimbra/ssl/zimbra/ca/ root@10.112.233.171's password: ca.csr 100% 1082 1.1KB/s 00:00 ca.key 100% 1708 1.7KB/s 00:00 ca.pem 100% 1265 1.2KB/s 00:00 ca.srl 100% 11 0.0KB/s 00:00 ca.srl.old 100% 11 0.0KB/s 00:00 index.txt 100% 101 0.1KB/s 00:00 index.txt.attr 100% 21 0.0KB/s 00:00 index.txt.old 100% 0 0.0KB/s 00:00 1329217468.pem 100% 1326 1.3KB/s 00:00 zmssl.cnf 100% 7702 7.5KB/s 00:00 [root@v01store1 ~]#
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deployca ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done. ** Copying CA to /opt/zimbra/conf/ca...done. [root@v01store1 ~]#
Create certificate/deploy certificate
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3660 -keysize 2048 -subject "/C=DE/ST=New-York/L=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com" -subjectAltNames "v01.vinay.com,v01store1.vinay.com" Validation days: 3660 ** Creating /opt/zimbra/conf/zmssl.cnf...done ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 ** Generating a server csr for download self -new -keysize 2048 ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120214172721 ** Retrieving Commercial CA cert from ldap...done. ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done. [root@v01store1 ~]#
[root@v01store1 ~]# rm /opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt rm: remove regular empty file `/opt/zimbra/ssl/zimbra//commercial/commercial_ca.crt'? y [root@v01store1 ~]#
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done. [root@v01store1 ~]#
Restart zimbra services for the new certificate and CA to take effect.
[root@v01store1 ~]# su - zimbra -c "zmcontrol stop ; zmcontrol start" Host v01store1.vinay.com Stopping zmconfigd...Done. Stopping stats...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping imapproxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping convertd...Done. Stopping logger...Done. Host v01store1.vinay.com Starting zmconfigd...Done. Starting logger...Done. Starting convertd...Done. Starting mailbox...Done. Starting snmp...Done. Starting spell...Done. Starting stats...Done. [root@v01store1 ~]#
Verify certificate status
[root@v01store1 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt ::service mta:: notBefore=Feb 14 11:57:30 2012 GMT notAfter=Feb 21 11:57:30 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01store1.vinay.com, v01.vinay.com ::service proxy:: notBefore=Feb 14 11:57:30 2012 GMT notAfter=Feb 21 11:57:30 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01store1.vinay.com, v01.vinay.com ::service mailboxd:: notBefore=Feb 14 11:57:30 2012 GMT notAfter=Feb 21 11:57:30 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01store1.vinay.com, v01.vinay.com ::service ldap:: notBefore=Feb 14 11:57:30 2012 GMT notAfter=Feb 21 11:57:30 2022 GMT subject= /C=DE/ST=New-York/O=Zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com issuer= /C=DE/ST=New-York/L=New-York/O=zimbra/OU=ZimbraGlobalSupport/CN=*.vinay.com SubjectAltName= v01store1.vinay.com, v01.vinay.com [root@v01store1 ~]#
Verify the CA copied from LDAP master which is deployed on store.
[root@v01store1 ~]# openssl x509 -text -noout -in /opt/zimbra/ssl/zimbra/ca/ca.pem Certificate: Data: Version: 1 (0x0) Serial Number: Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com Validity Not Before: Feb 14 11:03:00 2012 GMT Not After : Feb 21 11:03:00 2022 GMT Subject: C=DE, ST=New-York, L=New-York, O=zimbra, OU=ZimbraGlobalSupport, CN=*.vinay.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption [root@v01store1 ~]#