Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: zmcreatecert usage of keytool

  1. #21
    robrankin is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    22
    Rep Power
    9

    Default

    Right, got Zimbra using my commercial certs. After Step 2 above:

    2.1) keytool -keystore keystore -keyclone -alias 1 -dest tomcat

    WHen you create the keystore in step 2, the cert alias is "1". copy the cert in the keystore to a new alias of "tomcat" and then:

    2.2) keytool -delete -alias 1 -keystore keystore

    And now tomcat will use my commercial certs. w00t

    I also replaced the SMTP certs, but I'm curious where else Zimbra uses SSL that might need to be touched?

  2. #22
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by robrankin
    I also replaced the SMTP certs, but I'm curious where else Zimbra uses SSL that might need to be touched?
    I think also in OpenLDAP but Marc would know for sure. If you find any new information/solutions please add it to the wiki for the next person.

    http://wiki.zimbra.com/index.php?tit...icate_Problems

    http://wiki.zimbra.com/index.php?tit...l_Certificates
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #23
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by ericding
    Y'all have put the keystore file name in localconfig.xml (good), but have hard-coded the type of the keystore as "JKS" in OzTLSFilter.java. No wonder that naming the PKCS12 file as "keystore" was causing problems! For the time being, I've gone back to the separate certs for Tomcat vs. smtpd; but hopefully in the next release, y'all can simplify and unify all this stuff...
    Just bumping this thread back up to find out if any progress has been made in simplifying and unifying the SSL cert generation code in the latest release of ZCS... marc?

  4. #24
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by ericding
    Just bumping this thread back up to find out if any progress has been made in simplifying and unifying the SSL cert generation code in the latest release of ZCS... marc?
    3.1 has several changes/fixes to the cert scripts based on the community's testing here. So please try it and let us know how it works for you. If you still see problems file a bug in bugzilla.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  5. #25
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by KevinH
    3.1 has several changes/fixes to the cert scripts based on the community's testing here. So please try it and let us know how it works for you. If you still see problems file a bug in bugzilla.
    Hmmm... we've upgraded from 3.0.1 to 3.1 on our server, and diff tells me that zmcreatecert hasn't changed a bit! Nor has zmssl.cnf.in or zmcreateca. Where are these changes you're referring to?

    My hope is that y'all might consider the tweaks I've suggested so that rather than using keytool at all, you'd only need to use openssl and PKCS12 certs (see my posts above)... but at least for now, my hacks as described in earlier posts still serve us well on our server.

  6. #26
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by ericding
    Hmmm... we've upgraded from 3.0.1 to 3.1 on our server, and diff tells me that zmcreatecert hasn't changed a bit! Nor has zmssl.cnf.in or zmcreateca. Where are these changes you're referring to?

    My hope is that y'all might consider the tweaks I've suggested so that rather than using keytool at all, you'd only need to use openssl and PKCS12 certs (see my posts above)... but at least for now, my hacks as described in earlier posts still serve us well on our server.
    Did you post them to bugzilla? In general tweaks/suggestions on the forums are lost as we can't track/assign them like we do in bugzilla. We used to be able to work off the forums directly but things are getting a bit too big for us to mange that way. So it's best if you file them.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  7. #27
    ericding is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by KevinH
    Did you post them to bugzilla? In general tweaks/suggestions on the forums are lost as we can't track/assign them like we do in bugzilla. We used to be able to work off the forums directly but things are getting a bit too big for us to mange that way. So it's best if you file them.
    We sure did. It sits languishing in the queue as unconfirmed bug 6358. I had thought there'd be traction leading up to the release of 3.1, since marcmac mentioned in this thread that he was working on this, but I guess not...

  8. #28
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by ericding
    We sure did. It sits languishing in the queue as unconfirmed bug 6358. I had thought there'd be traction leading up to the release of 3.1, since marcmac mentioned in this thread that he was working on this, but I guess not...
    Yeah unclear if Marc got back to this after it didn't work the first time. I pushed the bug over so it's in his queue. As you can imagine there's always more to work on that we have time, and things that *work* today are usually much lower down on the list.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. per domain bandwidth usage
    By reza225 in forum Administrators
    Replies: 0
    Last Post: 05-17-2007, 01:18 PM
  2. restoring SSL with Keytool???
    By kevindods in forum Administrators
    Replies: 1
    Last Post: 04-23-2007, 04:48 AM
  3. Keytool
    By pawan in forum Installation
    Replies: 3
    Last Post: 03-19-2007, 03:45 PM
  4. ZimbraAdmin unavailable after I try configure the SMTP Auth.
    By FredArgolo in forum Administrators
    Replies: 10
    Last Post: 01-26-2006, 01:49 PM
  5. Zimbra on Debian - keytool issues
    By shohamlevy in forum Installation
    Replies: 9
    Last Post: 12-19-2005, 10:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •