King0770-Notes-import-SSL
On occasion, Zimbra may need to import an external SSL cert from a non-Zimbra server; most commonly from Active-Directory servers.
To import, run the following as the Zimbra user
Run the following openssl command to connect to the non-Zimbra server
echo | openssl s_client -connect acitive-directory.example.com:636 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt **OR** echo | openssl s_client -connect acitive-directory.example.com:3269 -showcerts 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/END CERTIFICATE-/p' >> /tmp/adCert.crt
If you didn't run openssl as the zimbra user, make sure the file is owned by Zimbra.
chown zimbra:zimbra /tmp/adCert.crt
Make sure the SSL certificate is good.
openssl x509 -in /tmp/adCert.crt -noout -text
Import into Zimbra
zmcertmgr addcacert /tmp/adCert.crt zmcontrol restart <<== restart ZCS to pick up the changes
When you use addcacert, the zmcertmgr tool will use alias name using part of the *.crt file
zmcert addcacert /tmp/corp.crt ** Importing cert '/tmp/corp.crt' as 'zcs-user-corp' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
OR
zmcertmgr addcacert /tmp/abccompany.crt ** Importing cert '/tmp/abccompany.crt' as 'zcs-user-abccompany' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
List the imported cert
keytool -list -alias zcs-user-abccompany -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit
List all trusted SSL certificates
keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -v -storepass changeit
More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes