Results 1 to 9 of 9

Thread: [SOLVED] Commercial cert Thawte

  1. #1
    lindworm is offline Senior Member
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    74
    Rep Power
    8

    Default [SOLVED] Commercial cert Thawte

    Hi,

    I know there are several threads about certificates and commercial certificates and some information in the wiki, but nothing realy helped me.

    We used our Thawte commercial certificate since 4.5.6 and had no problems with it. Even after upgrade from 4.5.9 to 5.0.2 there were no problems.

    But now we want to migrate from centos5 x86 to centos5 x86_64 (We know that centos is not supported). Restore works but we have problems to install the certificate.

    In 4.5.x I just copied
    commercial.keystore
    my.crt
    my.key
    to some places and it works.

    After upgrade to 5.0.2 it still worked so I think this files are all I need. Is that right?

    I tried the administration interface and /opt/zimbra/bin/zmcertmgr deploycrt comm

    But it doesn't work for me.

    Can you please tell me the steps I have to do to get the certificate working?

    Thanks

  2. #2
    lindworm is offline Senior Member
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    74
    Rep Power
    8

    Default

    In my special case with a running 5.0.2 with installed cert this helped me:

    First I moved the actual cert files on the old server:

    Code:
    cd /opt/zimbra/conf/
    mv slapd.crt slapd.crt.old
    mv slapd.key slapd.key.old
    mv smtpd.crt smtpd.crt.old
    mv smtpd.key smtpd.key.old
    mv ca ca.old
    mv nginx.crt nginx.crt.old
    mv nginx.key nginx.key.old
    
    mv /opt/zimbra/ssl/ /opt/zimbra/sslold
    Then I copied this files from the old server to the new one and changed the permissions.

    Then I did a
    zmcontrol stop && zmcontrol start

    And a
    zmcontrol status
    to see if everything is running


    After this, the certificate is working again without any commercial_ca.crt (Because I don't know which to choose)

  3. #3
    lindworm is offline Senior Member
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    74
    Rep Power
    8

    Default

    And here the easy way:


    Code:
    cd <path to crt and key files>
    cp my.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
    chmod 740 /opt/zimbra/ssl/zimbra/commercial/commercial.key
    /opt/zimbra/bin/zmcertmgr deploycrt comm my.crt /opt/zimbra/curl-7.17.0/share/curl/curl-ca-bundle.crt

  4. #4
    martinmuc is offline Intermediate Member
    Join Date
    Feb 2007
    Posts
    17
    Rep Power
    8

    Default Thawte Certificate from the Scratch

    Hi,

    for completeness:

    When you want to install a thawte certificate from the scratch.

    I made a .csr over the Zimbra Admin-Webfrontend, got the .crt from thawte, copied the crt to the zimbra server (e.g. /home/user/my.crt)

    After this, i run the command
    /opt/zimbra/bin/zmcertmgr deploycrt comm /home/usr/my.crt /opt/zimbra/curl-7.17.0/share/curl/curl-ca-bundle.crt

    After restart of zimbra, all works fine.
    This should work with other CAs, too.

    I didnt get it over the Zimbra Admin-Webfrondend, because i dont know which Root-CA to choose.


    Your certificates are stored in /opt/zimbra/ssl/zimbra/commercial
    So please backup

    Martin

  5. #5
    LinuxProphet is offline Member
    Join Date
    Mar 2007
    Posts
    12
    Rep Power
    8

    Thumbs up Thanks for the Intel

    I've racked my brains, tried all manner of scripts but couldn't get my Thawte Certificate to work.

    I too didn't know what Root CA to use, but I ended up spending days cracking my head.

    Then you came up with the solution in the curl directory... and it took 30 seconds.

    Many Thanks

    LinuxProphet

  6. #6
    NOZIL is offline Special Member
    Join Date
    Nov 2006
    Location
    Bordeaux, France
    Posts
    140
    Rep Power
    8

    Default

    Coming from a self-signed certificate, i tried to install a thawte cert using your method.

    Cert seems to install ok, but after restarting zimbra, the cert used by zimbra is still the self signed and not the commercial one...

    Any idea ?

    Release 5.0.1_GA_1902.RHEL5_20080109200629 CentOS5 FOSS edition

  7. #7
    punit.jain is offline Zimbra Employee
    Join Date
    Aug 2007
    Posts
    4
    Rep Power
    7

    Default

    use these steps: -


    STEPS TO INSTALL COMMERCIAL TRIAL CERTIFICATE

    1. GO IN /opt/zimbra/ssl/zimbra/commercial directory AND SEE IF commercial.key with permission set to 740. IS PRESENT
    2. IF NOT CHANGE PERMISSIONS
    3. WITH CSR GET CERTIFICATE
    4. CREATE THE DIRECTORY /ROOT/CERTS
    5. SAVE CERTIFICATE FILE IN /ROOT/CERTS AS commercial.crt
    6. CHMOD TO 700 commercial.crt
    7. IN MAIL WHERE YOU GOT COMMERCIAL CERTIFICATE ALSO SEE FOR ROOT AND INTERMEDIATE FILES
    8. SAVE THEM IN /ROOT/CERTS DIRECTORY AS ROOT.CA AND INTERMEDIATE.CA
    9. RUN cat root.ca intermediate.ca >> commercial_ca.crt
    10. RUN chmod 770 commercial_ca.crt
    11. VERIFY USING THIS COMMAND
    /opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.cr

    THAT IS IN THIS CASE

    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/certs/commercial.crt /root/certs/commercial_ca.crt

    IF YOU GET SOMETHING LIKE THIS :-

    ** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/certs/commercial.crt: OK

    12. THEN INSTALL LIKE BELOW

    [root@filter certs]# su - zimbra
    [zimbra@filter ~]$ sudo zmcertmgr deploycrt comm /root/certs/commercial.crt /root/certs/commercial_ca.crt

    SHOULD SEE FOLLOWING LOGS: -

    [zimbra@filter ~]$ sudo zmcertmgr deploycrt comm /root/certs/commercial.crt /root/certs/commercial_ca.crt
    ** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/certs/commercial.crt: OK
    ** Copying /root/certs/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/certs/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.

    13. RESTART ZIMBRA

    14. * Inspect your certificate

    openssl x509 -in /root/certs/commercial.crt -noout -text

    15. * View deployed certificate via the command line

    sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt

  8. #8
    jwhitaker is offline Intermediate Member
    Join Date
    Jul 2009
    Location
    Lexington, KY
    Posts
    18
    Rep Power
    6

    Default be careful

    I would be wary of the curl-ca-bundle trick in this post. It caused MTA issues with SSL and TLS for us. You can live chat with Thawte and get the root CA cert that you need. After running the deployment with the curl-ca-bundle, a bunch of root CAs were appended to our CA certificate. A "too long" error scrolled by for MTA cert during the deploy step, which is apparently what was breaking postfix TLS and SSL.

    Next time we tried to redeploy with the correct root CA, we didn't notice the extra stuff in our cert and still had issues. Had to return to the original cert from Thawte and recreate that file, then all went well.

  9. #9
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    I completely agree with jwhitaker, you should never use the curl-ca-bundle in the way lindworm recommended. You should always download the root ca and ca intermediaries from your CA provider when deploying a commercial cert.
    Bugzilla - Wiki - Downloads - Before posting... Search!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. Replies: 2
    Last Post: 03-25-2007, 09:40 PM
  3. Commercial SSL Cert
    By alexz in forum Installation
    Replies: 19
    Last Post: 10-13-2006, 10:58 AM
  4. Question installing commercial SSL cert
    By jigi in forum Administrators
    Replies: 0
    Last Post: 02-13-2006, 12:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •