Results 1 to 6 of 6

Thread: Trusting self-signed certificates

  1. #1
    EnSn is offline Member
    Join Date
    Dec 2009
    Posts
    10
    Rep Power
    5

    Default Trusting self-signed certificates

    Hi,
    I've been working on this issue for some time now and just can't seem to figure out where I'm going wrong. I'm trying to get Internet Explorer 8 to trust the certificate presented by Zimbra in the ZWC but no matter what I try, I just can't get a trusted connection. All my users are getting the warning page in IE8 and have to click on 'continue to this page' link to get to the Zimbra login page. This page also appears sometimes when they're working within Zimbra -- eg. opening PDF attachments -- and is interrupting to say the least.

    I have tried importing the certificate into various places including the 'Trusted Root Certification Authorities' store as is recommended in various places and it makes no difference. I double-checked that the certificates were in fact imported into these stores using the Certificates MMC console. I've made sure that the domain for the zimbra host matches the certificate. The workstations are running XP SP3 with latest IE8, but I also had this problem on IE7 before upgrading.

    Any help with this would be greatly appreciated. Thank you.

  2. #2
    EnSn is offline Member
    Join Date
    Dec 2009
    Posts
    10
    Rep Power
    5

    Default

    Well, I finally made some progress. Of course, being relatively new to CAs, certificate trust chains, etc. I ended up wasting half my day figuring it out.

    Most of the research I did pointed to importing the certificate presented to the browser when using the ZWC into the Trusted Root Certification Authorities store, which no matter how many dozens of ways I did it made no difference. I ended up going into /opt/zimbra/ssl/zimbra/ca and converting the PEM format ca.pem certificate into Windows compatible DER format:

    openssl x509 -inform PEM -in ca.pem -outform DER -out ca.cer

    Then I imported this into the Trusted Root Certification Authorities store and finally I'm not getting the warnings from IE.

    I did have one more question for anyone knowledgeable with certificates and domains/DNS. I'd like to use the servers host name as the URL instead of the FQDN (e.g. https://mail/ instead of https://mail.subdomain.domain.com/) to simplify things, but of course the browser then complains the URL doesn't match the certificate (issued to mail.subdomain.domain.com). Anyone know if this is possible without getting the warnings? I tried to create a certificate using just the hostname but it requires a proper domain name.

  3. #3
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    just for future ...you can just download the ca.pem and rename to ca.crt and double click on it in windows the install the cert..no need to convert

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  4. #4
    pup_seba is online now Special Member
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    Hi,

    This solution is not working for me, do you happen to know what may be happening? I can see the self-signed certificate in the Trusted Root Certification Authorities store but the "There is a problem with this website's security certificate" is still showing.

    I wan't to solve this problem mainly because the import migration wizard is having errors 'cause an SSL connection timeout and latetly to avoid having this annoying issue everytime I log into the web admin.

    Any help will be most helpfull!

    Regards,
    pup_seba

  5. #5
    JakeMS's Avatar
    JakeMS is offline Active Member
    Join Date
    Jul 2013
    Location
    /dev/urandom
    Posts
    33
    Rep Power
    2

    Default

    Have you considered alternative browsers such as Firefox? with Firefox you can trust the certs once, and it'll never prompt again unless the certificate changes.

    I'm not so good with IE (as I don't use windows at all), so can't help you with that specifically. But I would advise switching to Firefox, or another browser which supports accepting a self signed certificate permanently.

    If all else fails, I'd suggest grabbing a free certificate from here: https://www.startssl.com/

    It won't be the most secure certificate in the world, or most trusted and will be limited to one specific domain name. But at the end of the day, it'll stop most modern browsers complaining and secure the connection between you and your server. .

    Might have to check if IE8 has the CA though.

    Regarding certificates complaining of URL change, to get it to stop complaining you would need what they call a wildcard certificate. What this means is, the certificate is valid regardless of sub domain.

    So, if you use the certificate on:

    mail0.domain.com and then change to mail1.domain.com or domain.com it will remain valid as the certificate will be issued for "*.domain.com" * being the wildcard.

    When generating the certificate, this is as simple as just not using a sub domain when generating so you generate for domain.com not mail0.domain.com, once done you would then import these into Zimbra and of course, you'll need to renew the IE Trust chain with the new certificate.

    I've not tried that with Zimbra myself, but I see no reason why it would not work.

    If you want a proper signed by an official CA certificate, a wildcard certificate will cost you a fair bit however.

    Hope this helps

    Kind Regards,
    Jake

  6. #6
    pup_seba is online now Special Member
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    Hi!

    Finally it did work! I was making a silly mistake. The certificate is valid for *.domain.local so if I try to connect to one of the Zimbra servers like zimbra1.domain.local using "zimbra1" it will warns me, if I use the FQDN for which the certificate is issued (here is why my mistake is silly ) there's no warning nor error whatsoever. So now I'm using "zimbra1.domain.local" to connect and everything works like a charm.

    Thank you so much for your help!!!
    pup_seba

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS NE self signed certs: ca cert invalid for windows?
    By k3rmit in forum Administrators
    Replies: 5
    Last Post: 01-17-2010, 12:43 AM
  2. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  3. Replies: 13
    Last Post: 01-15-2008, 08:35 PM
  4. Replies: 1
    Last Post: 11-05-2007, 06:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •