Technical-Notes

Technical Notes

   KB 21230        Last updated on 2015-10-2  




0.00
(0 votes)


Single-Node Commercial Certificate

Some theory about SSL Certificates and words that we will use in this tutorial:

  • CSR (Certificate Signing Request): A CSR or also Certificate Signing request is a encrypted file with information about the company. This file is generated in our server, the Information that contains inside we discussed in a previous article. A Certificate authority uses this CSR for take the information and create the SSL Certificate.
  • Private Key: We told before that CSR is a encrypted file, we used for encrypt it a Private Key, that is unique. The CSR and the SSL certificate will only works if we have the Private key. So the best practice is do a Backup of the Private Key and the CSR just in case we can have any problem. But keep in a secure place.

We will moving us to the correct folder inside our Server for generate the files that we will need:

cd /tmp

Generating the CSR

Using the tool zmcertmgr, the Zimbra system will create the CSR, and also automatically doing a Backup of the existing Cert, great.

zimbra@help:# /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com"
** Generating a server csr for download comm -new -subject /C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141006233154 
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
root@help:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr
subject=/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com
SubjectAltName= 
zimbra@help:# 

We will need this two files located in this location: /opt/zimbra/ssl/zimbra/commercial/:

  • commercial.csr: This is the file that we need to provide to the CA Authority
  • commercial.key: The Private Key that we need to save, or do a Backup if we want to install the CRT in other Server, or restore it in case of any fail.

Checking the content of the CSR - SSL Certificate

Now we can check trough CLI if everything in the SSL is allright with the next command:

zimbra@help:/tmp# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr
subject=/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=help.zimbra.com
SubjectAltName= 

Another good method to check if everything is allright is using external websites, the only thing that we need to do is paste our CSR content, we can view it doing a more command:

zimbra@help:/tmp# more /opt/zimbra/ssl/zimbra/commercial/commercial.csr

We recommend one of this three:

  • [1]Comodo DecodeCSR
  • [2] Symantec CSR Check
  • [3] SSLShoper CSR Decoder

Using these web pages is quite easy, we just copy the CSR content and paste into this pages, take a look of this example in Symantec Website:

Ssl-check001.PNG

Buying the Commercial SSL Certificate

The next step is buy a valid commercial SSL certificate. Have tons of webpages around the World that you can use. This Companies will ask us about the CSR and our Business Information. And once the verification has a success they will send to us a file with the SSL Certificate (usually is a file with .crt extension)

Installing the Commercial SSL Certificate

When we have everything from our SSL Certificate authority, is time to put it in the correct folder.

Creating the commercial.crt

This file is easy to create, we only need to create that and paste inside the content of the file that the Certificate authority gave it to us:

zimbra@help:/tmp# vi commercial.crt

Creating the commercial_ca.crt

The file called commercial_ca.crt needs to be created with the correct information, we need to mix the Root Certificate and also The Intermediate Certificate, the order matters, so the file need to include CA INTERMEDIATE or INTERMEDIATES, CA ROOT one in the end of other with only one Backspace:

zimbra@help:/tmp# vi commercial_ca.crt

For example, this is how looks the file commercial_ca.crt with date September 2014 with a Geotrust QuickSSL Premium Certificate:

-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh
bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8
KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE
60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m
cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh
w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1
SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB
2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw
sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI
MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR
NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/
ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ
lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy
YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e
vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM
IIi0tWeUz12OYjf+xLQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

Checking if every file is OK

Also with all of these steps, we could do something wrong, we could check if everything is alright before deploy the SSL Certificate, for test all files we will execute the next:

zimbra@help:/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

If everything is allright, the result of the command will be:

** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

Launching the last command

If we don't have any issue in the previous step, is time to launch the last two command here:

zimbra@help:/tmp# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

The Logfile will be like this:

** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Single-Node Multi-SAN Commercial Certificate

Have a Multi-SAN certificate simplify the task of secure the Zimbra Infrastructure with only one Certificate, so we will have only one CSR to renew each year, etc. Also the Multi-SAN SSL Certificates permit us add more ALT names if we need it and modify as well, we only need to generate the CSR with the changes and send it to the CA Authority.

Generating the MultiSAN.csr file

We will create a file that we can update per each domain that we will need to use in the future. Also we can update it for remove, or modify domains inside it.

We will start moving us to the correct folder inside our Server for generate the files that we will need:

cd /tmp/

Then is time to create the CSR file, in this file we need to change the name of our Private Key, our Common Name and also the alternative domains that we want to protect with our SSL.

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=mail.domain.com" -subjectAltNames "mail.domain.com,mail.domain2.com,mail.domain3.com"
** Generating a server csr for download comm -new -subject /C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=mail.domain.com -subjectAltNames mail.domain.com,mail.domain2.com,mail.domain3.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141007154948
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /tmp/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
zimbra@help:/opt/zimbra/ssl/zimbra/commercial#

Checking the content of the SSL Certificate

Now we can check trough CLI if everything in the SSL is allright with the next command:

zimbra@help:/tmp# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr
subject=/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=mail.domain.com
SubjectAltName= mail.domain.com, mail.domain2.com, mail.domain3.com

We will check the CSR that we've generated, just copy the result of this command:

more commercial.csr

Inside any of this CSR Decoder's Web:

  • [4]Comodo DecodeCSR
  • [5] Symantec CSR Check
  • [6] SSLShoper CSR Decoder

SSL MultiSAN Install Web 001.png

Buying the Commercial SSL Certificate

The next step is buy a valid commercial SSL certificate. Have tons of webpages around the World that you can use. This Companies will ask us about the CSR and our Business Information. And once the verification has a success they will send to us a file with the SSL Certificate (usually is a file with .crt extension)

Installing the Commercial SSL Certificate

We can use the same instructions explained here:

Creating the commercial_ca.crt

We can use the same instructions explained here:

Checking if every file is OK

We can use the same instructions explained here:

Launching the last command

We can use the same instructions explained here:

Forcing the Server to use only HTTPS

We can use the same instructions explained here:

Forcing the Server to use only HTTPS

Now that we have a valid SSL, the best option is force to our server that only use SSL for our Web Client Access. For do it we will use zmtlsctl command, let's take a look of all of the options here:

  • http - http only, the user can access to our Zimbra Web Client trough http://webmail.zimbra.com
  • https – https only, the user can access to our Zimbra Web Client trough https://webmail.zimbra.com
  • both – The user can access trough both protocols http:// or https:// and it will keep in the same protocol during all session.
  • mixed – With this option, the user will come in trought http:// and will be redirect to https:// only for the login form, after that will be redirect to http:// again. If the user come directly trough https:// the user will be under https:// all the time.
  • redirect - If the user came trough http, it will be automatically redirect to https:// and it will keep on it during all session.

Zimlet LinkedIn Images

This article has been moved to the next Link

VMware HA script in Zimbra Collaboration

This article has been moved to the next Link

Migrate from cPanel/Plesk to Zimbra Collaboration 8.0.x 8.x

This article has been moved to the next Link

Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 01/1/2015
Article ID: https://wiki.zimbra.com/index.php?title=Technical-Notes Date Modified: 2015-10-02



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search