StartSSL Free SSL Certificate + Zimbra

[deniz]

Hi,

I was just wondering if anyone had any experience with the free non-selfsigned StartSSL certificates from StartSSL™ Certificates & Public Key Infrastructure.

Can they be easily be loaded into zimbra and how does it work?

Thanks,
Deniz

[Maddler]

I was able to import it, but despite the import procedure went fine it looks like the certificate is not working correctly, and SSL services aren't started.

[deuscapturus]

Installing a StartSSL SSL Certificate with zmcertmgr - Zimbra :: Wiki

[thunder04]

I've never been able to get the basic StartSSL cert to work with Zimbra. I don't know if it's me, or if it's StartSSL, but I get the following message when installing it via the CLI:

Code:

XXXXX ERROR: Unmatching certificate (/tmp/ssl.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

And the following message when installing it via the admin console:

Code:

Message: invalid request: missing required attribute: server Error code: service.INVALID_REQUEST Method: GetCertRequest Details:soap:Sender

As far as I know, I'm doing everything correct. I generated a new certificate signing request via the admin console, give the CSR to StartSSL (which they like), and they generate a certificate for me.

My hunch is that the problem lies with the way my Zimbra server is named. The server itself is named friendlyname.ourdomain.com, but the certificate needs to be for mail.ourdomain.com.

When generating the CSR, I specify "mail.ourdomain.com" as the common name. Should it be a Subject Alternative Name instead....or both?

Or, perhaps, it is a StartSSL problem as "All content of the certificate signing request is ignored except its public key."?

We used to use ipsCA certs and never had an issue (until their CA cert expired)...

[dik23]

Quote:

Originally Posted by deuscapturus

Installing a StartSSL SSL Certificate with zmcertmgr - Zimbra :: Wiki

Works fine for me, but remember to remove the pass phrase from the cert before installing or you'll have problems

[thunder04]

If you use the Zimbra generated CSR, there shouldn't be a password??

[dik23]

I must not have used the Zimbra CSR then

[chewitt]

Quote:

My hunch is that the problem lies with the way my Zimbra server is named. The server itself is named friendlyname.ourdomain.com, but the certificate needs to be for mail.ourdomain.com.

When generating the CSR, I specify "mail.ourdomain.com" as the common name. Should it be a Subject Alternative Name instead....or both?

No idea if that's the problem, but if you need to support multiple hostnames in the same certificate you need a class 2 cert ($49) not their free class 1 cert.