Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: New GeoTrust SSL certificates and Android users

  1. #11
    sae65 is offline Active Member
    Join Date
    Mar 2009
    Posts
    46
    Rep Power
    6

    Default

    Has anyone solved this issue? We have attempted to use the Geotrust Crossroot CA to no avail. When using the zmcertmgr verifycrt command it fails to the verify. If using their normal CA it verifies.

    We don't want to upset our android users but as it stands android users and zimbra desktop will start having ssl issues/warnings.

  2. #12
    Chewie71 is offline Trained Alumni
    Join Date
    Sep 2006
    Location
    Illinois
    Posts
    374
    Rep Power
    8

    Default

    Got it resolved....

    Part of the problem was getting the combination of certs and getting them in the right order, and part of the problem was me not using the 'zmcertmgr deploycrt' command correctly.

    I've updated the wiki article....hopefully it makes sense and someone else can try this and see if it works for them as well.

    Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki

    Let me know if there are errors or omissions in that....or you can correct it yourself.

    Matt

  3. #13
    sae65 is offline Active Member
    Join Date
    Mar 2009
    Posts
    46
    Rep Power
    6

    Default

    Hi,

    Thanks got the answer myself yesterday. Geotrust pointed me to all the certificates that needed to go into the commercial_ca.crt file.

    After that everything was good. A test run today for android users indicated no more cert issues.

    Here is the information I was given by Geotrust. Sharing it and hope it will be of some help.

    (First one is the x509 Base 64 cert under "others"
    Get the intermediate here: https://knowledge.geotrust.com/suppo...LINK&id=AR1422
    Get the cross-root here: https://knowledge.geotrust.com/suppo...=1282319600194
    Get our Equifax root CA (root1) here: Download Root Certificates - GeoTrust

  4. #14
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    i have an EOS with Android 2.2 (it's hold, i know) and this sequence does not work for me:

    1. intermediate:
    Code:
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 145105 (0x236d1)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
            Validity
                Not Before: Feb 19 22:45:05 2010 GMT
                Not After : Feb 18 22:45:05 2020 GMT
            Subject: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
    2. cross-root
    grabbed from https://knowledge.geotrust.com/suppo...tent&id=AR1426

    Code:
            Version: 3 (0x2)
            Serial Number: 1227750 (0x12bbe6)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
            Validity
                Not Before: May 21 04:00:00 2002 GMT
                Not After : Aug 21 04:00:00 2018 GMT
            Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
    3. Equifax root ca
    wget http://www.geotrust.com/resources/ro..._Authority.cer

    Code:
           Version: 3 (0x2)
            Serial Number: 903804111 (0x35def4cf)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
            Validity
                Not Before: Aug 22 16:41:51 1998 GMT
                Not After : Aug 22 16:41:51 2018 GMT
            Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
    [CODE]

    Code:
    /opt/zimbra/conf/ca # ls -la
    totale 32
    drwxr-xr-x  2 zimbra zimbra 4096 12 mag 11:21 .
    drwxrwxr-x 10 zimbra zimbra 4096 12 mag 12:21 ..
    lrwxrwxrwx  1 root   root     19 12 mag 11:21 2c543cd1.0 -> commercial_ca_2.pem
    lrwxrwxrwx  1 root   root      6 12 mag 11:21 37e2b938.0 -> ca.pem
    lrwxrwxrwx  1 root   root     19 12 mag 11:21 578d5c04.0 -> commercial_ca_3.pem
    -rw-r-----  1 zimbra zimbra  912 12 mag 11:21 ca.key
    -rw-r-----  1 zimbra zimbra  968 12 mag 11:21 ca.pem
    -rw-r-----  1 zimbra zimbra 1391 12 mag 11:21 commercial_ca_1.pem
    -rw-r-----  1 zimbra zimbra 1269 12 mag 11:21 commercial_ca_2.pem
    -rw-r-----  1 zimbra zimbra 1143 12 mag 11:21 commercial_ca_3.pem
    -rw-r-----  1 zimbra zimbra 3804 12 mag 11:21 commercial_ca.pem
    lrwxrwxrwx  1 root   root     17 12 mag 11:21 f131b364.0 -> commercial_ca.pem
    i have restarted
    Code:
    zmcontrol restart
    but always previuos configuration is recognized, it is like if there was a cache ;(
    but looking at /opt/zimbra/conf/ca i see 3 commercial pem file that are exactly the 3 ones of commercial_ca.crt

    i am disappointed and disoriented
    Last edited by maumar; 05-12-2012 at 03:44 AM.

  5. #15
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    maybe i should wipe this entry?

    Code:
    /opt/zimbra/java/bin/keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts|grep -i geo
    Immettere la password del keystore:  changeit
    geotrustglobalca, 18-lug-2003, trustedCertEntry,

  6. #16
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    solved
    wrongly, i have saved on /tmp the file
    Code:
    /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    w/out checking that in it there was concatenated the old chain

    the /tmp/commercial.crt *must* be cleaned

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •