Thawte SSL123 (Did not Use Admin Panel)

[Jazzhands]

That's right my client went ahead and purchased a Thawte ssl123 cert without consulting me first and did not know about the admin panel and having to use it to create the CSR first. So we have an SSL123 created the standard way from the linux command prompt. Is there any way to get this sucker working in Zimbra?

[dijichi2]

well i've just spent 3 hours wiki'ing, forum'ing and googl'ing and eventually found the answer to this - it's pretty cryptic (no pun intended)

request the cert in tomcat format, download the signed cert in x.509 format (you have to cut and paste into a file, call it commercial.crt).

download the root ca cert from here:
https://search.thawte.com/support/ss...INK&id=AR1470#
again, cut and paste into a file, call it ca.root

download the ssl intermediate bundle cert from here:
https://search.thawte.com/support/ss...LINK&id=AR1372
you'll want to choose the 'Apache, Plesk & CPanel' option 1, ie 'Download the Bundled CA version' - save it to ca.inter

now concatenate the two:
cat ca.root ca.inter >commercial_ca.crt

edit the newly created commercial_ca.crt and make sure that the ---BEGIN and ---END lines are all on their own line, and there are no empty gap lines anywhere.

then verify:
/opt/zimbra/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt

hopefully this goes ok - if you get any wierd errors you either have requested the cert wrong or have not quite got the above steps 100% correct.

then install:
/opt/zimbra/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

then restart zimbra

[Jazzhands]

Thanks for your post but I am just so frustrated by this process. I've created a new CSR and got a new SSL123 cert from thawte. Here is what I did:

1. Backup/remove 2009's key/crt/csr in /opt/zimbra/ssl/zimbra/commercial
2. Zimbra Admin panel - generate CSR - verified they created in /opt/zimbra/ssl/zimbra/commercial on server
3. Issued/received new certificate from Thawte with new CSR
4. Uploaded it to /opt/zimbra/ssl/zimbra/commercial.crt
5. Ran /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt thawte-bundle.ca

Error:

Code:

** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
XXXXX ERROR: Invalid Certificate: commercial.crt: /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
error 2 at 2 depth lookup:unable to get issuer certificate

I am pretty sure I have the wrong "thawte-bundle". There are like a thousand different bundles on thawte's site I can't figure out what in the world to download for this. Anyone know?

Also, should I be using the admin panel for this? It asks me for the certificate, the root ca and the intermeidate ca. I don't know what to upload for the root and intermediate.

Could someone please explain what I need to do to renew this certificate? What thawte root CAs I need to download? Should I be using the command line or the admin panel? Please help I am so exhausted from this. Thanks.

[dijichi2]

you've got the wrong ca bundle. i gave you precise links and instructions above to get the right ones!

[Jazzhands]

Thank you so much. Those two bundles were my entire problem. There are all kinds of bundles on Thawte's site and how you figured out which ones to use is beyond my mere mortal knowledge. I never could have figured that out on my own. Thankfully we purchased a 2 year cert and I don't have to deal with this crap for a while.