Installing an existing commercial wildcard SSL certificate

[kingark]

I might be missing something here but as a total novice with SSL certificates I can not find what I am looking to do in any previous posts.

We have a wildcard SSL certificate that is installed on several other linux servers (server1.mydomain.com, server2.mydomain.com) and now want to have it cover the mail server (mail.mydomain.com), having the certificate generated somewhere else to cover the *.mydomain.com I do not need to generate a csr on the Zimbra server but there seems to be no way to install a commercial cert with out initiating a csr first.

This is where I am lost, can I use this wildcard with Zimbra?
I am playing withe the cert on a open source version 6.0.4 but will eventually move it onto our production network edition 6.0.4 both RHEL4_64

Not even sure what other info to tell, any help is much appreciated in advance.

Dave

[bdial]

you need to use the command line zmcertmgr there should be info on Main Page - Zimbra :: Wiki about it. basically you just need to install the cert and intermediary without the whole csr step.

[vbn]

In our setup we move our key, csr and crt files to the servers to deploy.
Assuming you have a wildcard SSL Cert and are deploying without re-keying it with the authority, the following should work. (This is on ver 6.0.4 Open)

As root -

mkdir /root/certs
* move your keyfile, csrfile and crtfile here *
* also required will be a bundle crt file from your CA *

cp bundlecrt commercial_ca.crt
cp crtfile commercial.crt
cp keyfile commercial.key

cp commercial.key /opt/zimbra/ssl/zimbra
mv commercial.key /opt/zimbra/ssl/zimbra/commercial

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
/opt/zimbra/java/bin/keytool -import -alias root -keystore


This will help you avoid LDAP startup problems:
/opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

I have just expanded the steps to help you understand whats happening. You can always shorten them as per your expertise
Please change bundlecrt, keyfile, crtfile to your respective filenames.

Cheers !

[kingark]

Thanks for the info.
I was missing the "fakeing out" with the key file used to generate the csr on the other server, we will try to implement this today and will post back with the results.

[ExcitedByNoise]

I'm trying to follow this thread. But I am having a little trouble. I want to install my wildcard with a csr generated on another machine. I see it talks about faking out Zimbra using the csr from the other machine, but I do not see how they are doing that. I keep getting errors trying to install my wildcard because it wasn't generated with the matching information.

[gettyless]

I'm trying to follow this thread. But I am having a little trouble. I want to install my wildcard with a csr generated on another machine. I see it talks about faking out Zimbra using the csr from the other machine, but I do not see how they are doing that. I keep getting errors trying to install my wildcard because it wasn't generated with the matching information.

Have you looked over the wiki? There's a lot of information about this here: 5.x Commercial Certificates Guide - Zimbra :: Wiki

You mention commercial cert but the apache docs might help too:

SSL/TLS Strong Encryption: FAQ - Apache HTTP Server

[ExcitedByNoise]

It's a commercial wildcard cert. It's from Alpha, but when I try to install it from the CLI it verifies the key against the cert, but it fails I think when it tries to verify the chain. I get an error 2 at depth 1. I have the commercial.key, commercial.crt, and commercial_ca.crt that I used on my other server as well as the csr that was used for the wildcard cert. There were no intermediaries given by the cert provider.

Edit: I got a different Root CA File and an Intermediate CA file from my provider. Now I get a different error:

[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: /C=US/OU=Domain Control Validated/O=*.mydomain.com/CN=*.mydomain.com
error 20 at 0 depth lookup:unable to get local issuer certificate

[ExcitedByNoise]

Ok, one more update. I thought I was getting somewhere:

[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

However, when I go to deploy:

[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm
** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.
[root@mail zimbra]#

Edit: A more complete log

[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.
[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr verifycrt comm
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
[root@mail zimbra]#

[i2ambler]

Did you guys ever get this to work? I am getting the same error 2 at 1 depth lookup error..

[kingark]

No we never got it to work, we ended up moving to a hosted Zimbra solution (not for the reason of the cert) and they put the certificate on the shared installation.