Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Installing an existing commercial wildcard SSL certificate

  1. #1
    kingark is offline New Member
    Join Date
    Aug 2008
    Posts
    3
    Rep Power
    7

    Default Installing an existing commercial wildcard SSL certificate

    I might be missing something here but as a total novice with SSL certificates I can not find what I am looking to do in any previous posts.

    We have a wildcard SSL certificate that is installed on several other linux servers (server1.mydomain.com, server2.mydomain.com) and now want to have it cover the mail server (mail.mydomain.com), having the certificate generated somewhere else to cover the *.mydomain.com I do not need to generate a csr on the Zimbra server but there seems to be no way to install a commercial cert with out initiating a csr first.

    This is where I am lost, can I use this wildcard with Zimbra?
    I am playing withe the cert on a open source version 6.0.4 but will eventually move it onto our production network edition 6.0.4 both RHEL4_64

    Not even sure what other info to tell, any help is much appreciated in advance.

    Dave

  2. #2
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    you need to use the command line zmcertmgr there should be info on Main Page - Zimbra :: Wiki about it. basically you just need to install the cert and intermediary without the whole csr step.

  3. #3
    vbn's Avatar
    vbn
    vbn is offline Active Member
    Join Date
    Dec 2009
    Location
    Singapore and India
    Posts
    42
    Rep Power
    5

    Default

    In our setup we move our key, csr and crt files to the servers to deploy.
    Assuming you have a wildcard SSL Cert and are deploying without re-keying it with the authority, the following should work. (This is on ver 6.0.4 Open)


    As root -

    mkdir /root/certs
    * move your keyfile, csrfile and crtfile here *
    * also required will be a bundle crt file from your CA *

    cp bundlecrt commercial_ca.crt
    cp crtfile commercial.crt
    cp keyfile commercial.key

    cp commercial.key /opt/zimbra/ssl/zimbra
    mv commercial.key /opt/zimbra/ssl/zimbra/commercial

    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt

    /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    /opt/zimbra/java/bin/keytool -import -alias root -keystore


    This will help you avoid LDAP startup problems:
    /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

    I have just expanded the steps to help you understand whats happening. You can always shorten them as per your expertise
    Please change bundlecrt, keyfile, crtfile to your respective filenames.

    Cheers !

  4. #4
    kingark is offline New Member
    Join Date
    Aug 2008
    Posts
    3
    Rep Power
    7

    Default

    Thanks for the info.
    I was missing the "fakeing out" with the key file used to generate the csr on the other server, we will try to implement this today and will post back with the results.

  5. #5
    Join Date
    Feb 2010
    Posts
    13
    Rep Power
    5

    Default

    I'm trying to follow this thread. But I am having a little trouble. I want to install my wildcard with a csr generated on another machine. I see it talks about faking out Zimbra using the csr from the other machine, but I do not see how they are doing that. I keep getting errors trying to install my wildcard because it wasn't generated with the matching information.

  6. #6
    gettyless is offline Loyal Member
    Join Date
    Mar 2007
    Posts
    95
    Rep Power
    8

    Default

    Quote Originally Posted by ExcitedByNoise View Post
    I'm trying to follow this thread. But I am having a little trouble. I want to install my wildcard with a csr generated on another machine. I see it talks about faking out Zimbra using the csr from the other machine, but I do not see how they are doing that. I keep getting errors trying to install my wildcard because it wasn't generated with the matching information.
    Have you looked over the wiki? There's a lot of information about this here: 5.x Commercial Certificates Guide - Zimbra :: Wiki

    You mention commercial cert but the apache docs might help too:

    SSL/TLS Strong Encryption: FAQ - Apache HTTP Server

  7. #7
    Join Date
    Feb 2010
    Posts
    13
    Rep Power
    5

    Default

    It's a commercial wildcard cert. It's from Alpha, but when I try to install it from the CLI it verifies the key against the cert, but it fails I think when it tries to verify the chain. I get an error 2 at depth 1. I have the commercial.key, commercial.crt, and commercial_ca.crt that I used on my other server as well as the csr that was used for the wildcard cert. There were no intermediaries given by the cert provider.

    Edit: I got a different Root CA File and an Intermediate CA file from my provider. Now I get a different error:

    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: /C=US/OU=Domain Control Validated/O=*.mydomain.com/CN=*.mydomain.com
    error 20 at 0 depth lookup:unable to get local issuer certificate
    Last edited by ExcitedByNoise; 03-04-2010 at 10:54 AM. Reason: Update

  8. #8
    Join Date
    Feb 2010
    Posts
    13
    Rep Power
    5

    Default

    Ok, one more update. I thought I was getting somewhere:

    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

    However, when I go to deploy:

    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm
    ** Retrieving server config key zimbraSSLCertificate...done.
    ** Retrieving server config key zimbraSSLPrivateKey...done.
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    XXXXX ERROR: provided cert isn't valid.
    [root@mail zimbra]#

    Edit: A more complete log
    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm** Retrieving server config key zimbraSSLCertificate...done.
    ** Retrieving server config key zimbraSSLPrivateKey...done.
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    XXXXX ERROR: provided cert isn't valid.
    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    [root@mail zimbra]#
    Last edited by ExcitedByNoise; 03-04-2010 at 02:27 PM.

  9. #9
    i2ambler is offline Special Member
    Join Date
    Jan 2010
    Posts
    161
    Rep Power
    5

    Default

    Did you guys ever get this to work? I am getting the same error 2 at 1 depth lookup error..

  10. #10
    kingark is offline New Member
    Join Date
    Aug 2008
    Posts
    3
    Rep Power
    7

    Default

    No we never got it to work, we ended up moving to a hosted Zimbra solution (not for the reason of the cert) and they put the certificate on the shared installation.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. [SOLVED] Installing a commercial SSL certificate
    By sdrury in forum Administrators
    Replies: 4
    Last Post: 10-30-2009, 01:37 PM
  3. Replies: 10
    Last Post: 10-26-2009, 03:26 AM
  4. [SOLVED] Installing existing SSL certificates (solved)
    By inigoml in forum Administrators
    Replies: 22
    Last Post: 02-24-2009, 10:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •