Installing a Verisign Test Certificate
|This article applies to the following ZCS versions.|
Instructions on how to install a 15 day free trial Verisign Certificate on Zimbra Server:
- Go to http://www.verisign.com/ and select "Free SSL Trial".
- Fill out the form on the Free SSL Trial Certificate Page and click Continue
- Open a new browser window and create CSR through Zimbra Admin Console. Login to the Admin Console, click Certificates -> Install Certificate Button -> Select Target Server -> Select Generate the CSR for the commercial certificate authorizer -> create the CSR and download and save the CSR file
- Go back to verisign Free Trial SSL page and continue, fill out the required technical contact.
- When you are asked by Verisign abou the CSR, open your saved CSR file and copy paste the content to Verisign page
- Once you successfully submit your CSR, a trial Certificate will be created by Verisign and emailed to you.
- Once you receive the certificate, save it, say verisign_free_trial.crt
- Get the verisign Root CA for the certificate you just got and save it as root.ca. To get the root CA, go to http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html.
- Get the verisign Intermediate CA for the certificate you just got and save it as intermediate.ca. To get the intermediate CA, go to http://www.verisign.com/support/verisign-intermediate-ca/trial-secure-server-intermediate/index.html
- Go back to Admin Console and launch the Install Certificate wizard, pick the "Install the commercially signed certificate". When you are prompted to upload the certificate, select verisign_free_trial.crt as Certificate, root.ca as Root CA, and intermediate.ca as Intermediate CA.
- Click Next and then Install. Your Commercial Certificate will be installed successfully.
- Restart the zimbra server.
If Zimbra doesn't come up after the restart, chances are that you have error messages like the following in your logs:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP athBuilderException: unable to find valid certification path to requested target
The culprit is the missing CA for the VeriSign Trial Secure Server Test Root CA. You can import the CA with the following command:
# /opt/zimbra/java/bin/keytool -import -alias <ALIAS> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <PASSWORD> -file /opt/zimbra/conf/ca/commercial_ca.pem