[SOLVED] Deploy new commercial certificate

[CrypTom]

Hi all

I'm running Zimbra OpenSource Edition 6.0.7 and my commercially signed certificate is about to expire in 2 days. I ordered a new certificate, this time a wildcard certificate as we also have other servers using ssl in the same domain.

I copied the private key file (commercial.key) to the appropriate location /opt/zimbra/ssl/zimbra/commercial, changed the owner to zimbra.zimbra and made sure, the permissions are -rw-------. The certificate and the root certificate including the chain are located in /root/certs/commercial.crt and /root/certs/commercial_ca.crt respectively. I followed the following howto:
Preexisting Certifcate Installation for Zimbra 6.0 - Zimbra :: Wiki

Then, the command

Code:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt

runs all ok.

But the following command fails:

Code:

root@hermes:~/certs# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt 
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...failed.
XXXXX ERROR: failed to import certficate.

Keytool-Fehler: java.lang.Exception: Eingabe kein X.509-Zertifikat

I cannot even reinstall the still valid certificate I was using until now! The same error appears.

I was able to install a self-signed cert using the following howto:
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

If I restart trying to install the commercial cert it fails as above.

What can I do to successfully install the commercial cert? I'm not willing to use the self-signed cert as my 150+ users will get error messages...

Any help would be very much appreciated, thanks!
CrypTom

[CrypTom]

I was able to solve the problem.

My new cert file (including the CA's root cert file) looked as follows:

Code:

subject=/CN=*.ourdomain.ch/Email=support@ourdomain.ch
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I had to delete the "subject=..." line before
"-----BEGIN CERTIFICATE-----". So it seems that the "-----BEGIN CERTIFICATE-----" line absolutely has to be the file's first line!

So I wondered why my old (still valid) certificate could not be deployed and I inspected it crt file. I found that there was an empty line before the "-----BEGIN CERTIFICATE-----" line.

Which means that the certificate management behavior changed from Zimbra version 6.0.6 to 6.0.7, because I was able to install the old cert with Zimbra 6.0.6, but not with 6.0.7.

As a consequence, check the certificate's file format carefully, there should be nothing before "-----BEGIN CERTIFICATE-----", but one empty line after "-----END CERTIFICATE-----".