Installing a GoDaddy Commercial Certificate
|This article applies to the following ZCS versions.|
This article covers importing and installing a GoDaddy commercial certificate on a ZCS 5.0.x server and on a 4.5.x server.
This article is written for installations that meet the following prerequisites.
- This is a new certificate.
- You generated the CSR via the Administration Console.
- You sent the CSR to get it signed
- Download the following files from https://certs.godaddy.com/Repository.go
- The /opt/zimbra/ssl/zimbra/commercial has two files:
If your certificate does not meet the above prerequisites, the following installation instructions may not work.
Also, if you have generated the csr using openssl utility or instructions provided by the godaddy, you will need to manually copy the files to /opt/zimbra/ssl/zimbra/commercial path with proper naming like commercial.key for the key, commercial.crt for the cert, commercial.csr for the csr, and commercial_ca.crt for the root certificate
You can install the certificate by logging in to the Administration Console and uploading the following files.
- Signed Certificate - <server_name>.crt
- RootCA - gd-class2-root.crt
- Intermediate - gd-bundle.crt
Once you have uploaded these files, restart Zimbra services.
Command line Instructions
If you are failing to install the certificate from admin console, use these steps to install it from command line.
1) mkdir /root/certs and place the cert files in there 2) cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /root/certs/commercial_ca.crt or rename gd_bundle.crt (given by GoDaddy when downloading certificate) to commercial_ca.crt. 3) verify the certificate cd /root/certs /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./<server_name>.crt ./commercial_ca.crt 4) deploy the cert cd /root/certs /opt/zimbra/bin/zmcertmgr deploycrt comm ./<server_name>.crt ./commercial_ca.crt 5) restart the zimbra services su - zimbra zmcontrol stop zmcontrol start
(You will be prompted for passwords. Use zimbra for all passwords)
1. Create keystore:
su - zimbra
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
2. Create CSR (you are creating the commercial.csr file):
keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
Note: when it asks you for your first and last name use the common name of your server. For example, if you will ultimately use zimbra.company.com as the URL then that is your common name.
3. Open the contents of the commercial.csr file and copy and paste into GoDaddy's CSR submission form.
4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.
5. Import intermediate and root certs from GoDaddy. The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go
To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt
Note: As of 4/2/2007 - Using RHEL 4 with all updates the Root cert was not needed.
Update: 4/2/2007 - Go to this page: https://certificates.godaddy.com/Repository.go Download the gd_cross_intermediate.crt. You should have received gd_intermediate.crt as part of the zip file from GoDaddy. You will need the cross and the intermediate certificates in order to create the "chain".
To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt
To import the cross cert: keytool -import -alias cross -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_cross_intermediate.crt
6. Import digital cert into keystore:
keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra
7. Copy the keystore to zimbra Tomcat keystore:
cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
8. Tomcat restart
9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.
10. To use your certificate for other services, follow the instructions above under "You can use the same CRT for other services".