Does the SSL cert on the Zimbra server's Primary Name need to match the server name?

[Baylink]

For Zimbra itself to be happy, I mean; it's looking like I need to have the cert be named after what my iPhones are going to want to call it in order for *them* to work -- and Apple explicitly doesn't support anything but Genuine Microsoft Exchange.

So the question is: does *Zimbra* require that the server's idea of its own name appear in the SSL cert that it servers? If so, can it be a secondary name?

[uxbod]

Hi, not really following. Within the iPhone settings you would enter the FQDN of your Zimbra server; for which should match the CN of the cert. If it does not then the iPhone just asks if you wish to accept it (especially if you are using a self signed cert).

[Baylink]

See my other thread, just updated. Apple *requires* that the primary name on the cert -- self signed or not -- be *the name the phone uses to get to EAS*.

Hence, I have to rebuild my cert to do this, with async.mumble as its primary name.

Hence my question above.

[uxbod]

I am guessing it will be fine. We have our own PKI and use a combination ZCS FQDN, Alternative name and IP address.

[Baylink]

But the primary name on your certs is the "real" configured name of your server? Or an alias?

Cause if the iPhones require their name to be primary, and Zimbra requires *its*, then I'm either going to have to rename the server, or play games with my DNS.

[Baylink]

In either event, having had it confirmed by Quanah on my bug ticket that in fact, it's not supposed to care, I ran AJ's "build your own self-signed cert" script, modified like so:

Code:

/opt/zimbra/bin/zmcertmgr createcrt self -new -subject "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=async.mumble" -subjectAltNames "benjamin.mumble,zmail.mumble"

And, of course, for some reason, when I look in the admin console it doesn't appear to have actually done *anything*; my cert is still for benjamin.mumble, with no altNames.

Confused, now.