Jetty Cert in 5.0.1

[janderson]

Is there a special step I need to deploy a commercial cert to jetty with the new tools in 5.0.1?

I'm currently trying to deploy our existing commercial cert to a test box, I got the "zmcertmgr deploycrt comm" to work, however jetty is still using the self signed cert from install.

[janderson]

This is what I ended up doing, not sure if it was the best method, but it did work!

put my.crt and my.key in the following:

/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.key
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt

/opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/ssl/zimbra/commercial/commercial.crt

put intermediate.cer
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt

as root: /opt/zimbra/bin/zmcertmgr deploycrt comm

Add "jetty" alias to tomcat keystore
Overwrite /opt/zimbra/jetty/etc/keystore with tomcat keystore

Edit mailboxd_keystore_password, change password to match tomcat keystore

Restart services

[ronpoz]

Quote:

Originally Posted by janderson

Add "jetty" alias to tomcat keystore
Overwrite /opt/zimbra/jetty/etc/keystore with tomcat keystore

What do you mean by this?

Thanks!

[brian]

5.0.1 supports command line install of the commercial cert.

Code:

sudo zmcertmgr deploycrt comm <crt file> <ca chain file>

This will automatically deploy the cert to the jetty keystore. You may have to manually delete the existing tomcat entry if it's expired.

Code:

keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`

[ronpoz]

Quote:

Originally Posted by brian

5.0.1 supports command line install of the commercial cert.

Code:

sudo zmcertmgr deploycrt comm <crt file> <ca chain file>

This will automatically deploy the cert to the jetty keystore. You may have to manually delete the existing tomcat entry if it's expired.

Code:

keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`

Perfect, this fixed my issue!!!

[ronpoz]

Quote:

Originally Posted by brian

5.0.1 supports command line install of the commercial cert.

Code:

sudo zmcertmgr deploycrt comm <crt file> <ca chain file>

This will automatically deploy the cert to the jetty keystore. You may have to manually delete the existing tomcat entry if it's expired.

Code:

keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`

Perfect, this fixed my issue!!!

Thank you!

[janderson]

Quote:

Originally Posted by brian

5.0.1 supports command line install of the commercial cert.

Code:

sudo zmcertmgr deploycrt comm <crt file> <ca chain file>

This will automatically deploy the cert to the jetty keystore. You may have to manually delete the existing tomcat entry if it's expired.

Code:

keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -m nokey mailboxd_keystore_password`

The deploycert in 5.0.1 deployed to everything but jetty for me, perhaps I should file a bug.