VALID FOR: Release 5.0.19_GA_3083.RHEL5_64_20090918162340 CentOS5_64 FOSS edition
I wanted to create a self-signed CA which is valid for more than one year and then create a server certificate with SubjectAltNames.
First we need fix some zmcertmgr bugs, so it really does what we want it to:
Create the CA with a validity of 10 years and check its certificate (run as root):
# cd /tmp
# wget ftp://ftp.fl.priv.at/pub/zimbra/patches/5.0.19/patch-zmcertmgr
# cd /
# patch -p0 --verbose < /tmp/patch-zmcertmgr
Create a Server Certificate which is valid for 3 years and test it (run as root):
# rm -f /opt/zimbra/ssl/zimbra/ca/index.txt*
# touch /opt/zimbra/ssl/zimbra/ca/index.txt
# /opt/zimbra/bin/zmcertmgr createca -new -days 3650 \
-subject "/C=AT/ST=N\/A/L=N\/A/O=MYORG/OU=Zimbra CA/CN=server.domain.com"
# openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -noout -text | \
grep "\(Not Before:\|After :\)\|\(Issuer:\)"
Finally install the certificate and check that Zimbra is using the correct one (run as root):
# /opt/zimbra/bin/zmcertmgr createcrt -new -days 1095 -subject \
"/C=AT/ST=N\/A/L=N\/A/O=MYORG/OU=IT/CN=server.domain.com" -subjectAltNames \
# openssl x509 -in /opt/zimbra/ssl/zimbra/server/server.crt -noout -text
Don't forget to restart ZCS.
# /opt/zimbra/bin/zmcertmgr deploycrt
# /opt/zimbra/bin/zmcertmgr viewdeployedcrt