Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: zmcreatecert usage of keytool

  1. #11
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    What I've done to zmssl.cnf.in is to add a subst. string to the alt names line, which will be replaced with any command line arguments. I've added the -extensions flag to the openssl call, and made the other changes.

    Haven't tested it yet, but should be there today.

  2. #12
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Thanks for your responsiveness, marcmac. This still begs the question in my mind, though: why is it necessary to have two separate certificates for Tomcat and smtpd? Doesn't this mean twice the cost if we go to a commercial certificate vendor?

  3. #13
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by ericding
    Thanks for your responsiveness, marcmac. This still begs the question in my mind, though: why is it necessary to have two separate certificates for Tomcat and smtpd? Doesn't this mean twice the cost if we go to a commercial certificate vendor?
    It's the same cert, just in different formats. So one cert is all you need.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  4. #14
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    To expand on Kevin's response:

    Tomcat requires it's cert in a particular format in the keystore file (cert and private key bundled together).

    Postfix, on the other hand (and ldap, IIRC) require that the cert be separate from the private key, and the private key be unencrypted.

    If you're using a commercial cert, you can request just one, I believe - make sure you dump the private key first, so that you have it for postfix/ldap.

    Lots (and lots) of info on the web about this.

  5. #15
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    To expand on Kevin's response:

    Tomcat requires it's cert in a particular format in the keystore file (cert and private key bundled together).

    Postfix, on the other hand (and ldap, IIRC) require that the cert be separate from the private key, and the private key be unencrypted.
    So if I understand you correctly, the script should be modified so that only one certificate request is generated and signed, all with openssl, and then somehow the cert and key can be combined in a way that is compatible with Tomcat's keystore, no? Or is this the point of difficulty/impossibility? Does this page help?

    http://mark.foster.cc/kb/openssl-keytool.html
    Last edited by ericding; 03-08-2006 at 08:19 PM.

  6. #16
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    That's right, though getting the keystore to play nice with openssl is not something I've had luck with. I've been to the link you provided, which has some good info.

    Supposedly, tomcat will handle pkcs12 certs, but I can't make that happen, either. (Inasmuch as I'm mostly concerned with the self-signed certs, for initial setup, it's not a huge priority to automate - since self-signed certs are free.).

  7. #17
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default eureka (again)!

    Quote Originally Posted by marcmac
    Supposedly, tomcat will handle pkcs12 certs, but I can't make that happen, either. (Inasmuch as I'm mostly concerned with the self-signed certs, for initial setup, it's not a huge priority to automate - since self-signed certs are free.).
    OK, after another two hours of hacking, I've got it working. Can I get a tip or something? Here's what it took.

    First, I had to convert the OpenSSL cert/key into a format that Tomcat would be happy with:
    Code:
    openssl pkcs12 -export -in server.crt -inkey server.key -out tomcat.pkcs12 \
         -name tomcat -password pass:zimbra
    Then, I had to get Tomcat to use my new pkcs12 file. At first it balked when I simply copied it into the standard keystore location, throwing a Java exception indicating that it was an invalid keystore format. Tomcat documentation, though out of date as far as the openssl command was concerned, led the way. What I needed to do was add a keystoreType argument to server.xml (actually, server.xml.in, since Zimbra overwrites server.xml on startup):
    Code:
        <Connector port="%%zimbraMailSSLPort%%"
            enableLookups="false"
            maxThreads="100" minSpareThreads="100" maxSpareThreads="100"
            scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS"
            keystoreType="PKCS12"
            keystoreFile="/opt/zimbra/tomcat/conf/tomcat.pkcs12" keystorePass="zimbra"/>
    Of course, this was just for testing; in implementing this change throughout, you'd need to also add the keystoreType argument for the admin services connector. Note also that here I've copied my generated pkcs12 file over to /opt/zimbra/tomcat/conf; for some reason, though, if I name the file "keystore", Tomcat seems unhappy -- it exits with a Java socket exception when I try to connect. Maybe I'm doing something wrong there, but I couldn't figure out what it might be. So I've just left it named tomcat.pkcs12.

    But what all this should mean is that y'all can change zmcreatecert to just use openssl all the way through, resulting in server.crt and server.key being created. Then zmcertinstall would just run the following for the "mailbox" option:
    Code:
    openssl pkcs12 -export -in server.crt -inkey server.key \
         -out ${TCONF}/tomcat.pkcs12 -name tomcat -password pass:zimbra
    No more keytool use is necessary at all. Of course, there's a sticky issue involved in the case of upgrade: you don't want to overwrite people's certs, but this change would involve an incompatibility between the current way and a new (simpler, cleaner) way of doing things.

  8. #18
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    Interesting - I was naming my pkcs12 cert "keystore", maybe that's what was breaking it. I'll check this out and see what I can do.

    Thanks again, Eric!

  9. #19
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Hmmm... so the web client is working fine via SSL, but the IMAP server isn't cooperating nearly as well. When trying to connect via strict SSL (port 993), my clients just time out!

    Is this because the IMAP SSL code is hardcoded somehow to look for the keystore file? I had deleted my request/cert from the keystore; adding it back in gets the IMAP server working again, though with a different cert than the web server's using...

    (after looking at the source code)... yup, there it is. Y'all have put the keystore file name in localconfig.xml (good), but have hard-coded the type of the keystore as "JKS" in OzTLSFilter.java. No wonder that naming the PKCS12 file as "keystore" was causing problems! For the time being, I've gone back to the separate certs for Tomcat vs. smtpd; but hopefully in the next release, y'all can simplify and unify all this stuff...
    Last edited by ericding; 03-09-2006 at 09:29 PM.

  10. #20
    robrankin is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    22
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    Interesting - I was naming my pkcs12 cert "keystore", maybe that's what was breaking it. I'll check this out and see what I can do.

    Thanks again, Eric!
    I've just been through a very similar hell as whats been documented here. Basically native Java Keystore format is wonky, IMO, with no easy route to importing OpenSSL certs/keys. Since my company has commercial certs, we want to use them on every single service that requires SSL.

    Heres what I did to get a native Keystore from a PEM format cert and separate keyfile:

    1.) openssl pkcs12 -inkey file.key -in file.crt -export -out file.pkcs12

    2.) java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import file.pkcs12 keystore

    Hint: download Jetty if its not already there This step is what converts a PKCS12 cert into a JKS keystore.

    3.) keytool -import -keystore keystore -import -trustcacerts -file /path/to/cacert/cacert.cer

    Hint: if you need to import your CA cert.

    In my case I've now used the keystore on two separate Java apps (Wildfire and Confluence) but have not yet tested on Zimbra. Now that I've done it I should just be able to copy the keystore file around and rename it to whatever the application is expecting (seemed to work with Confluence anyhow).

    Hope it helps. I'll give it a go on Zimba sometime in the next couple days.
    Last edited by robrankin; 03-28-2006 at 03:51 AM.

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. per domain bandwidth usage
    By reza225 in forum Administrators
    Replies: 0
    Last Post: 05-17-2007, 01:18 PM
  2. restoring SSL with Keytool???
    By kevindods in forum Administrators
    Replies: 1
    Last Post: 04-23-2007, 04:48 AM
  3. Keytool
    By pawan in forum Installation
    Replies: 3
    Last Post: 03-19-2007, 03:45 PM
  4. ZimbraAdmin unavailable after I try configure the SMTP Auth.
    By FredArgolo in forum Administrators
    Replies: 10
    Last Post: 01-26-2006, 01:49 PM
  5. Zimbra on Debian - keytool issues
    By shohamlevy in forum Installation
    Replies: 9
    Last Post: 12-19-2005, 10:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •