Installing a Gandi Commercial Certificate on ZCS

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0

Everything as root ...

  • First copy all your gandi certificates, for instance in /tmp/gandi

Gandi is not a top level Certifying Authority, so we need some extra certificates

       aptitude install ca-certificates

  • Create a bundle with user trust CA file and the Gandi CA file
       cd /tmp/gandi
       cat /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem GandiStandardSSLCA.pem > GandiBundle.pem

  • Backup the SSL commercial directory, then erase it
       cd /opt/zimbra/ssl/zimbra/commercial/
       tar -czvf /tmp/ssl.commercial.tar.gz *
       rm  *

  • Copy the required files in the directory /opt/zimbra/ssl/zimbra/commercial/
        #commercial.csr ( the certificate signing request that you sent to gandi ) 
        cp /tmp/gandi/ commercial.csr
        # commercial.key ( your private key )
        cp /tmp/gandi/ commercial.key
        # commercial_ca.crt( bundle created above ) 
        cp /tmp/gandi/GandiBundle.pem commercial_ca.crt
        # Verify our Gandi Certificate against the private key
        /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key /tmp/gandi/ 
        ** Verifying /tmp/gandi/ against commercial.key
        Certificate (/tmp/gandi/ and private key (commercial.key) match.
        Valid Certificate: /tmp/gandi/ OK
        # Verify our Gandi Certificate against the Certificate Authority Chain
        /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt /tmp/gandi/ 
        Valid Certificate Chain: /tmp/gandi/ OK
        # Deploy our Gandi Certificate
        /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/gandi/ commercial_ca.crt 
        ** Verifying /tmp/gandi/ against /opt/zimbra/ssl/zimbra/commercial/commercial.key
        Certificate (/tmp/gandi/ and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
        Valid Certificate: /tmp/gandi/ OK
        ** Copying /tmp/gandi/ to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
        cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
        ** Saving server config key zimbraSSLCertificate...failed.
        ** Saving server config key zimbraSSLPrivateKey...failed.
        ** Installing mta certificate and key...done.
        ** Installing slapd certificate and key...done.
        ** Installing proxy certificate and key...done.
        ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
        ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
        ** Installing CA to /opt/zimbra/conf/ca...done.
  • Restart the zimbra and have a look at the log:
        /etc/init.d/zimbra restart ;  tail -f /opt/zimbra/log/*.log

cause: PKIX path building failed: unable to find valid certification path to requested target Install Gandi SSL CA in the java keystore ( according to Thanks Yvon ! )

        /opt/zimbra/java/bin/keytool -alias GandiStandardSSLCA -importcert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/gandi/GandiStandardSSLCA.pem
  • Gandi people if you read this please send me a t-shirt :) You can contact me to via the talk page.

Verified Against: unknown Date Created: 2/1/2010
Article ID: Date Modified: 2015-03-30

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search