ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Network Edition


Managing Configuration > Managing SSL Certificates for ZCS

Managing SSL Certificates for ZCS
A certificate is the digital identity used for secure communication between different hosts or clients and servers. Certificates are used to certify that a site is owned by you.
Two types of certificates can be used - self-signed and commercial certificates.
*
A self-signed certificate is an identity certificate that is signed by its own creator.
You can use the Certificate Installation Wizard to generate a new self-signed certificate. This is useful when you use a self-signed certificate and want to change the expiration date. The default is 1825 days (5 years). Self-signed certificates are normally used for testing.
*
A commercial certificate is issued by a certificate authority (CA) that attests that the public key contained in the certificate belongs to the organization (servers) noted in the certificate.
When Zimbra Collaboration Server is installed, the self-signed certificate is automatically installed and can be used for testing Zimbra Collaboration Server. You should generate install the commercial certificate when Zimbra Collaboration Server is used in your production environment.
Installing Certificates
To generate the CSR, you complete a form with details about the domain, company, and country, and then generate a CSR with the RSA private key. You save this file to your computer and submit it to your commercial certificate authorizer.
To obtain a commercially signed certificate, use the Zimbra Certificates Wizard in the administration console to generate the RSA Private Key and Certificate Signing Request (CSR). Go to Home > Certificates and in the gear icon select Install Certificates. The Certificate Installation Wizard dialog box displays.
You enter the following information in the wizard:
 
Option 
Description 
Download the CSR from the Zimbra server and submit it to a Certificate Authority, such as VeriSign or GoDaddy. They issue a digitally signed certificate.
When you receive the certificate, use the Certificates Wizard a second time to install the certificate on the ZCS. When the certificate is installed, you must restart the server to apply the certificate.
Viewing Installed Certificates
You can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days and subject alternative name. To view installed certificates, go to Home > Certificates and select a service host name. Certificates display for different Zimbra services such as LDAP, mailboxd, MTA and proxy.
Maintaining Valid Certificates
It is important to keep your SSL certificates valid to ensure clients and environments work properly, as the ZCS system can become non-functional if certificates are allowed to expire. You can view deployed SSL certificates from the ZCS administrator console, including their validation days. It is suggested that certificates are checked periodically, so you know when they expire and to maintain their validity.
Install a SSL Certificate for a Domain
You can install an SSL certificate for each domain on a ZCS server. Zimbra Proxy must be installed on ZCS and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.
Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.
1.
zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}
Note:
2.
3.
4.
See your commercial certificate provider for details about how to remove the password.
5.
Click Save.
The domain certificate is deployed to /opt/zimbra/conf/domaincerts
Copyright © 2012 VMware Inc.