ZCS Administrator Guide 8.0

Network Edition

Managing SSL Certificates for ZCS

A certificate is the digital identity used for secure communication between different hosts or clients and servers. Certificates are used to certify that a site is owned by you.

Two types of certificates can be used - self-signed and commercial certificates.

A self-signed certificate is an identity certificate that is signed by its own creator.

You can use the Certificate Installation Wizard to generate a new self-signed certificate. This is useful when you use a self-signed certificate and want to change the expiration date. The default is 1825 days (5 years). Self-signed certificates are normally used for testing.

A commercial certificate is issued by a certificate authority (CA) that attests that the public key contained in the certificate belongs to the organization (servers) noted in the certificate.

When Zimbra Collaboration Server is installed, the self-signed certificate is automatically installed and can be used for testing Zimbra Collaboration Server. You should generate install the commercial certificate when Zimbra Collaboration Server is used in your production environment.

Installing Certificates

To generate the CSR, you complete a form with details about the domain, company, and country, and then generate a CSR with the RSA private key. You save this file to your computer and submit it to your commercial certificate authorizer.

To obtain a commercially signed certificate, use the Zimbra Certificates Wizard in the administration console to generate the RSA Private Key and Certificate Signing Request (CSR). Go to Home > Certificates and in the gear icon select Install Certificates. The Certificate Installation Wizard dialog box displays.

You enter the following information in the wizard:

 

Option	Description
Common Name (CN)	Exact domain name that should be used to access your Web site securely. Are you going to use a wildcard common name? If you want to manage multiple sub domains on a single domain on the server with a single certificate, check this box. An asterisk (*) is added to the Common Name field.
Country Name (C)	County name you want the certificate to display as our company location
State/Province (ST)	State/province you want the certificate to display as your company location.
City (L)	City you want the certificate to display as your company location.
Organization Name (O)	Your company name
Organization Unit (OU)	Unit name (if applicable)
Subject Alternative Name (SAN)	If you are going to use a SAN, the input must be a valid domain name. When SAN is used, the domain name is compared with the common name and then to the SAN to find a match. You can create multiple SANs. When the alternate name is entered here, the client ignores the common name and tries to match the server name to one of the SAN names.

Download the CSR from the Zimbra server and submit it to a Certificate Authority, such as VeriSign or GoDaddy. They issue a digitally signed certificate.

When you receive the certificate, use the Certificates Wizard a second time to install the certificate on the ZCS. When the certificate is installed, you must restart the server to apply the certificate.

Viewing Installed Certificates

You can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days and subject alternative name. To view installed certificates, go to Home > Certificates and select a service host name. Certificates display for different Zimbra services such as LDAP, mailboxd, MTA and proxy.

Maintaining Valid Certificates

It is important to keep your SSL certificates valid to ensure clients and environments work properly, as the ZCS system can become non-functional if certificates are allowed to expire. You can view deployed SSL certificates from the ZCS administrator console, including their validation days. It is suggested that certificates are checked periodically, so you know when they expire and to maintain their validity.

Install a SSL Certificate for a Domain

You can install an SSL certificate for each domain on a ZCS server. Zimbra Proxy must be installed on ZCS and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.

Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.

1.	Configure the Zimbra Proxy Virtual Host Name and IP Address.

zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}

Note:

The virtual domain name requires a valid DNS configuration with an A record.

2.	Go to the administration console and edit the domain. Copy the domain’s issued signed commercial certificate’s and private key files to the Domain>Certificate page.

3.	Copy the root certificate and the intermediate certificates in descending order, starting with your domain certificate. This allows the full certificate chain to be validated.

4.	Remove any password authentication from the private key before the certificate is saved.

See your commercial certificate provider for details about how to remove the password.

5.	Click Save.

The domain certificate is deployed to /opt/zimbra/conf/domaincerts