Integrating Intermediate Root Certificates using the Zimbra Certificate Tool

[blaze]

Hi guys,

Everything in this thread relates to Zimbra 5 RC2.

This is kind of a follow up to my other thread. According to the instructions in the article here, the method for integrating root certificates is as follows:

If your certificate is in DER format it must be converted to PEM:

Quote:

openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der

If it is already in PEM format then you simply run this command:

Quote:

cat exported-pem.crt ca_int1.crt ca_int2.crt >> my.crt

Am I correct in assuming that when using the wizard, you would perform these steps:
1. Generate CSR
2. Send CSR to CA and receive reply (in my case the certificate and two intermediate ones- including a Root certificate)
3. Intergrate the certificates on the command line
4. Install the certificate using the wizard on the admin interface.

This makes perfect sense to me, and I think these are helpful instructions for people new to the process.

My problem however, is what if you miss out step 3? I happen to have done this by accident. Does anybody know what the solution is? I would really rather not re-submit another csr and have to install it again, but if that is the solution then so be it. What I am wondering is, can I simply merge the certificates now, and go straight to the install process on the wizard?

Many thanks,
Gary

[blaze]

does anybody have any ideas on this one? I only need a little advice to go ahead with it.

Many thanks,
Gary

[blaze]

For the record, I tried merging the certificates using those instructions and then I tried to use the wizard. I got the following error:


Not really a huge surprise because it is not going to match the key if it has two other certificates inside it.

Is there any way to install the root certificates and intermediate certificates using the wizard separately? If not, is there anyway I can add them into a keystore somewhere?

Using certain programs and web browsers, the certificate is valid right now as it is, but it gives "the correct root certificate is not installed". Really need to fix that.

Many thanks,
Gary

[blaze]

I am continuing to work on this issue and I have another question:

Quote:

Since my certificates are in PEM format I have decided to attempt the manual steps again. The question is, when making a PKCS12 file, how does one cater for the root and intermediate certificates?

The instructions state:

Quote:

keytool -import -alias YOUR_CA_NAME -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /PATH/TO/YOUR/CACERT

Is this the same for Version 5 RC2? I have tried this without much success. I still get the error:

Quote:

"The correct root certificate is not installed"

Any help here guys?

Thanks

[blaze]

Well I ended up solving this by moving to another CA that didn't need an intermediate certificate installing (GeoTrust). I would have liked to have got things working with DigiCert but it wasn't to be. I will mark this thread solved, but I guess it isn't really. It would be worthwhile in the future if you guys could work out some documentation for intermediate certificates on version 5 either with or without the wizard.

Many thanks,
Gary