ZCS NE self signed certs: ca cert invalid for windows?

[k3rmit]

Hi,

i'm trying to get a usable form of ca certificate from my zimbra installation, still to no avail.

i read lot in the forums and in the wiki about the topic and, like other did, i found out that the certificates generated with version 5 miss the path to the root certification authority, something that's creating a lot of issues in my network.

I had to recreate the self signed certificates lately with the Admin web gui, everything went along fine, all certificates have been created, renewed and applied.
In my network i install certificates on all PCs via the Windows Active Directory Domain Policies. The previous Zimbra certificates have been created in version 4.5, so i could extract easily the root certificate, export it and install it via group policy.
This isn't possible with the new certificates, therefore i tried to figure out a way to do it.

Unfortunately all trials to install the ca.pem (or any export of it, even a pkcs12 created with the help of the ca.key file) under /opt/zimbra/ssl/zimbra/ca in the Trusted Root Certificate Authorities of the User certificates made Internet Explorer complain (Cannot display the Web Page): as soon as i remove the installed ca certificate IE starts to work again, although with the pesky security warning.
Nor IE neither Windows are very helpful in indicating why on earth the browser refuses to load the web page, with no verbose motivation on the page or on any log file.... it looks like it thinks that the ca certificate isn't valid for the certificate loaded from the server.

Considering this is causing annoying issues, among which the free/busy calendar check under Outlook, is there a way to do it in the proper way??

Thanks in advance to anyone helping out.


Alberto

[k3rmit]

Bump.........

[brian]

I had no problem taking /opt/zimbra/ssl/zimbra/ca/ca.pem and importing into IE8 on Windows XP. This was from a ca created with ZCS 5.0.16.

No conversion to pkcs12 was necessary. I had to select all files while importing because there wasn't a default choice for .pem but IE recognized the file format once selected.

[k3rmit]

Hi,

unfortunately it doesn't work for my installation. I cannot import the ca.pem directly, i have to import from the certificate snap-in in Windows' mmc.

I'm using Windows Vista btw, but reproduced it in XP as well.

Thanks again

[kinux]

I too had a hard time getting the certificates into either Windows XP (w/ Internet Explorer 8) or as a Trusted Certificate Authority on my Windows Server 2003 Domain Controller. With my old system & self-signed certs, I could view the certificate in IE8 and click the 'Install Certificate', then "Automatically select the certificate store based on the type of certificate" and it would work fine. I even had my old certs setup in the "Trusted Root Certification Authority" on the Windows 2003 box and all of the connecting Windows machines would receive the certificates no problem. THEN, I moved to Zimbra, and none of my old tricks of importing the certs worked. I tried exporting it out from IE7, IE8, Firefox (in every possible format), and then I directly grabbed the ca.pem from the server and nothing worked. After a few days of trial and error, I found the formula that worked for me.

For individual computers (tested on Windows XP w/ IE7 & IE8), I used the "Certificate" snap-in in MMC and imported the certificate directly in the Trusted Root Certification Authority. For Group Policy on Windows 2003, I first imported my cert (using the ca.pem from the server) using the Group Policy Editor in the Trusted Certificate Authority. Then, I used the MMC console (on the Server 2003 machine) and imported it into the Trusted Certificate Authority. I don't claim to be an expert on Windows (I'm a *nix guy personally), but the added step of importing it through MMC on the server made the certificate error messages go away for my Windows clients.

If that doesn't work, my generic advice for certificate problems would be to make sure the URL you're typing in for your Zimbra server is what's listed on the certificate "Issued To" and "Issued By" fields. If for example, your certificate is for "random.domain.tld", and you use the IP address of the Zimbra server as the incoming/outgoing mail server, then even if you've successfully imported the cert, you will continue to receive an error.

For anyone else that stumbles on this page looking for certificate help, I found this page to be a good step-by-step on how to import into group policy.
Deploying a Self-Signed Root Certificate with Group Policy

[rmvg]

So what is the state of Zimbra cert how do I make them work?