https://wiki.zimbra.com/api.php?action=feedcontributions&user=JpMaxMan&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-29T07:45:12ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Installing_DigiCert_commercial_certificates&diff=37150Installing DigiCert commercial certificates2011-12-11T23:18:11Z<p>JpMaxMan: </p>
<hr />
<div>{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}}<br />
<br />
== Zimbra CSR == <br />
<br />
To generate the certificate signature request (CSR) use the command (all commands in this wiki are run as ''root'' in an arbitrary work directory):<br />
<br />
<code><br />
/opt/zimbra/bin/zmcertmgr createcsr comm -subject '/C=FR/ST=N\/A/L=N\/A/O=Your Company/OU=Your Department/CN=webmail.foo.com'<br />
</code> <br />
<br />
The CSR is stored in ''/opt/zimbra/ssl/zimbra/commercial/commercial.csr''.<br />
<br />
The private key is in ''/opt/zimbra/ssl/zimbra/commercial/commercial.key''.<br />
<br />
Use the flag "''-subjectAltNames host1,host2''" if you need to specify host aliases.<br />
<br />
Verify your CSR with:<br />
<br />
<code><br />
/opt/zimbra/openssl/bin/openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr<br />
</code><br />
<br />
<br />
== Certificates ==<br />
<br />
Buy the certificate in http://www.digicert.com (create a customer<br />
account if you don't have one already) and purchase the certificate.<br />
Copy and paste the CSR file when requested. Take into account that certificates prices vary depending on the number of aliases you have in your CSR.<br />
<br />
Fill the address (coherent with your domain owner address) and a valid e-mail contact.<br />
<br />
After payment approval a validation e-mail is sent to the previous e-mail address and if all<br />
the info is coherent the certificates are issued and sent to the same e-mail address in a ZIP file.<br />
<br />
The ZIP file contains 4 certificates :<br />
<br />
* a - The site certificate corresponding to the CSR (host_name_com.crt)<br />
* b - DigiCert's CA certificate (DigiCertCA.crt)<br />
* c - DigiCert's High Assurance CA (DigiCertCA2.crt)<br />
* d - Trusted Root certificate (TrustedRoot.crt)<br />
<br />
Verify that all files end with an end of line. If not sure add an empty line at the end of each file.<br />
<br />
== File preparation ==<br />
<br />
- Copy the server certificate to the file<br />
<br />
<code><br />
commercial.crt<br />
</code><br />
<br />
- Concatenate Digicert's CA certificate, Digicert's High Assurance CA certificate and the "''Trusted Root''" certificate into a single file named commercial_ca.crt:<br />
<br />
<code><br />
cat DigiCertCA.crt DigiCertCA2.crt TrustedRoot.crt > commercial_ca.crt<br />
</code><br />
<br />
* Note: When using the admin interface via the web you must do the above step and use this as your "root" certificate. It will not work to upload each individually into the admin form.<br />
<br />
- Validate the trust chain with the command:<br />
<code><br />
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt<br />
</code><br />
<br />
it should say "''commercial.crt: OK''"<br />
<br />
== Deploy certificates ==<br />
<br />
Deploy the new certificates with:<br />
<code><br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt<br />
</code><br />
<br />
then restart Zimbra.<br />
<br />
{{Article Footer|unknown|6/16/2010}}<br />
<br />
[[Category:Certificates]]<br />
[[Category:ZCS 6.0]]<br />
[[Category:ZCS 5.0]]</div>JpMaxManhttps://wiki.zimbra.com/index.php?title=Split_DNS&diff=8635Split DNS2008-05-11T14:52:25Z<p>JpMaxMan: </p>
<hr />
<div>= Overview =<br />
Installations of Zimbra behind a firewall often require the creation of some form of split DNS. This is because the Postfix mail system used by Zimbra performs a DNS lookup when attempting to route email to the back-end message store. Frequently, this is the same physical host as Postfix. The DNS server frequently returns the external address of the mail host, not the internal address. Depending on how the firewall and network are configured, the external address may not even be reachable from the mail host, and mail will not be delivered.<br />
<br />
A Split DNS avoids this problem by providing an internal DNS server that can be used to resolve the internal address of the server. This guide will detail how to set up a very specific, single-host DNS server that can be installed on the Zimbra host itself so that it can resolve its own address. This should not be used for a multi-node Zimbra installation, and should not be used as the DNS server for any other hosts on your network.<br />
<br />
= Configuring Bind on the Zimbra Server (Red Hat Enterprise Linux) =<br />
1. Use up2date to download bind from Red Hat Network.<br />
# up2date bind<br />
<br />
2. Edit the /etc/named.conf file. (Substitute your fully-qualified server name for '''server.example.com''' in all cases, and if named runs in a chroot'ed directory /var/named/chroot, named.conf should be placed in /etc/named/chroot/etc/named.conf and you should create a symbolic link to /etc/named.conf.)<br />
// Default named.conf generated by install of bind-9.2.4-2<br />
options {<br />
directory "/var/named";<br />
dump-file "/var/named/data/cache_dump.db";<br />
statistics-file "/var/named/data/named_stats.txt";<br />
forwarders { <address of current DNS server> ; };<br />
};<br />
include "/etc/rndc.key";<br />
// We are the master server for server.example.com<br />
zone "server.example.com" {<br />
type master;<br />
file "db.server.example.com";<br />
};<br />
Make sure to set the forwarders to match the DNS servers currently in use on your system. The forwarders setting allows the server to query those DNS servers for any addresses for which it is not authoritative.<br />
<br />
3. Create a /var/named/db.server.example.com zone file. (If named runs in a chroot'ed directory /var/named/chroot, db.server.example.com should be placed in /etc/named/chroot/var/named/db.server.example.com and you should create a symbolic link to /var/named/db.server.example.com.)<br />
<br />
;<br />
; Addresses and other host information.<br />
;<br />
@ IN SOA server.example.com. hostmaster.server.example.com. (<br />
10118 ; Serial<br />
43200 ; Refresh<br />
3600 ; Retry<br />
3600000 ; Expire<br />
2592000 ) ; Minimum<br />
; Define the nameservers and the mail servers<br />
IN NS <internal address of server><br />
IN A <internal address of server><br />
IN MX 10 server.example.com.<br />
<br />
<br />
4. Change /etc/resolv.conf to use the Zimbra server as the primary DNS address. Also remember to change the search path to be the name of the Zimbra server.<br />
<br />
5. Start named on the zimbra server<br />
# /etc/init.d/named start<br />
<br />
6. Enable autostart of named on boot<br />
# chkconfig named on<br />
<br />
You can verify that this is working by typing 'nslookup server.example.com'. It should return the internal address of your server instead of the external address. This should also allow Postfix to deliver mail to your mailboxes.<br />
<br />
If you have a number of servers inside the firewall that need to use internal addresses to communicate to each other, you should consider setting up a full internal DNS server that can be authoritative for the whole domain. This example is not suitable for this task.<br />
<br />
For information on performing the same task w/ TinyDNS / DJBDNS: http://www.fefe.de/djbdns/#splithorizon<br />
<br />
Additional Information: Zimbra Power Tip: http://www.zimbra.com/blog/archives/2007/06/making_zimbra_bind_work_together_1.html<br />
<br />
{{Article Footer|unknown|10/5/2006}}<br />
<br />
[[Category:Troubleshooting]]</div>JpMaxMan