Commercial Certs for Multi-Server Install

[jterhune]

I apologize if this has been addressed elsewhere, but I can't seem to find much about it in forum posts or the documentation.

We recently moved from a single server install to a multi server install. With our single server, all I did to generate CSRs and install certs was use the web interface. With multi-server it seems a bit more complicated then that.

our setup:

mail.domain.edu consists of zcs-ldap.domain.edu, zcs-mta.domain.edu, zcs-ms.domain.edu

Zimbra proxy runs on our mta. Before I start playing with installing commercial certs (and likely break everything), I was hoping someone who has done this before can answer a few questions.

1. Is it true that I cannot simply use the admin web console to install the certs? If I need to (or want to) install via command line, where would be the appropriate place to find documentation? I found documentation for self signed multi-server and commercial single server, but nothing for commercial multi-server.
2. If I really just want a commercial cert for https, is a cert for mail.domain.edu enough? Is the install process different?
3. If we want commercial certs for everything else, do I need to generate separate certs for zcs-ldap.domain.edu, etc as well as a seprate one for https?
4. Do I need (or should I get) a wildcard cert?

Any help would be greatly appreciated. Thanks in advance.

[raj]

some answers can be found at:
5.x Commercial Certificates Guide - Zimbra :: Wiki

Raj

[jterhune]

That wiki page does have some information on command line options (unfortunately I am not using any of those cert vendors), but it doesn't have much information in terms of multi-server requirements - i.e. if I can use the web interface, what kind of certs I need for each node, if I need wildcard certs, and if I can install a https cert only.

[alexkelly]

Quote:

Originally Posted by jterhune

1. Is it true that I cannot simply use the admin web console to install the certs? If I need to (or want to) install via command line, where would be the appropriate place to find documentation? I found documentation for self signed multi-server and commercial single server, but nothing for commercial multi-server.

The admin interface is handy, but does not work in all situations we have encountered. I would recommend getting comfortable with the CLI tools for cert management, it is actually less confusing in the end. I also believe that for the proxy server you have to install it via CLI.

Quote:

2. If I really just want a commercial cert for https, is a cert for mail.domain.edu enough? Is the install process different?

You only need a cert for the domains to which clients are connecting. So if you have a bunch of mail stores on the backend, but they are all serving mail.domain.edu through the proxy, you only need a cert for mail.domain.edu.

Quote:

3. If we want commercial certs for everything else, do I need to generate separate certs for zcs-ldap.domain.edu, etc as well as a seprate one for https?

You can keep all the internal communication using the self-signed certs and only use the commercial cert for the web-client access that actual users will be hitting.

Quote:

4. Do I need (or should I get) a wildcard cert?

From my personal experience, I would avoid wildcard certs. Browsers do not handle them in a universal manner, so you are likely to get varying results.

[jterhune]

Awesome. Thanks for the help.

Do you happen to know of any documentation for just adding a https cert via the cli? I don't want to damage any self-signed certs in the process?

Also, should the cert go on the proxy server, or should it go on the mailstore that the proxy server is directing to?

[brian]

The official wiki page contains info on the cli. Administration Console and CLI Certificate Tools - Zimbra :: Wiki

You want to deploy the ssl certs on the proxy. Communication between the proxy and the mail store is always over http.