Installing a IPSCA Commercial Certificate
|This article applies to the following ZCS versions.|
Documentation on how to install a commercial SSL Certificate provided by IPSCA using zmcertmgr. I created this documentation after upgrading to Zimbra 6.0 and having Zimbra fail to start due to the commercial SSL Certificate.
IPSCA offers free wildcard SSL certificates for Educational Institutions which is why we chose them. Their certificates appear to work in everything with out complaining except Opera.
This documentation assumes you've already generated your private key, certificate request and gotten it signed by IPSCA for your domain. I created these instructions using Zimbra 6.0 and CentOS 5.3 32-bit. Chances are this will work on Zimbra 5.0 and other operating systems.
Installing a IPSCA SSL Certificate using zmcertmgr
1. Download a copy of the IPSCA Intermedia Certificate and Root Certificate from here. Thankfully IPSCA bundles them together for you saving you some time. If you really want them in separate files go here
2. Put your .key and .crt files on your server. For this example I'm going to use 'example.ca.key' and 'example.ca.crt' and assume they are stored in '/tmp'
3. I decrypted my SSL private key (example.ca.key). I'm not 100% sure if you have to do this but I find it easier to deal with because you don't have to keep entering the private keys passphrase.
openssl rsa -in /tmp/example.ca.key -out /tmp/example.ca.key.unenc
Enter your passphrase for the private key when prompted
4. Make sure you're root and copy your unencrypted private key into Zimbra SSL directory
cp /tmp/example.ca.key.unenc /opt/zimbra/ssl/zimbra/commercial/commercial.key
5. Still as root you'll now import your commercial certificate (example.ca.crt) and the IPSCA CA and Intermediate certificate bundle (IPS-IPSCABUNDLE.CRT). Make sure Zimbra is running before you run this command.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/example.ca.crt /tmp/IPS-IPSCABUNDLE.CRT
6. As the Zimbra user stop and restart Zimbra
zmcontrol stop zmcontrol start
Updating the expired IPSCA Root CA
This assumes you've previously installed a SSL Certificate signed by IPSCA. If this is the case you've more then likely found out by now that IPSCA's Root CA has expired and they've re-issued everyone's SSL Certificates signed with their new Root CA. More details here.
The following was performed on CentOS 5.4 32-bit and Zimbra 6.0.4.
1. Download a fresh copy of the IPSCA Certificate Bundle
2. Upload your new SSL Certificate (.crt) to your Zimbra server in the "/tmp/" directory. IPSCA should have e-mailed this to you already. They send it as a .txt file.
3. Issue the following commands to install the new certificates (as root)
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/example.ca.crt /tmp/IPS-IPSCABUNDLE.crt
4. Restart Zimbra (as zimbra)
zmcontrol stop zmcontrol start
You're still going to have to deal with the remaining issue that the new IPSCA Root CA is only in a fully updated Internet Explorer 8. Anyone using Firefox, Opera, Safari or other browser is still going to get a certificate error.
When I run 'zmcertmgr' to import my certificate I see the following messages during the import:
** Saving server config key zimbraSSLCertificate...failed. ** Saving server config key zimbraSSLPrivateKey...failed.
This means Zimbra isn't running. Start Zimbra and then re-run the command.