[SOLVED] Problem with commercial certificate

[ppaixao]

Hello, I've been trying to install a commercial certificate I've just purchased and am having trouble due to the ca certificate chain.

The CA has given me my certificate and one file representing the certificate chain. I tried to install it through the web admin console but it gives one error:

Code:

invalid request: missing required attribute: server Código de erro: service.INVALID_REQUEST Method: GetCertRequest Detalhes:soap:Sender

I googled it and seems like many people can't install it using the admin console so I just went with the command line alternative.

Code:

[root@mail 20101116]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key xxxxxxx.crt ca.crt
** Verifying xxxxxxx.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (xxxxxxx.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: xxxxxxx.crt: OK

No problems validating it.... however when I try to install it:

Code:

[root@mail 20101116]# /opt/zimbra/bin/zmcertmgr deploycrt comm xxxxxxx.crt ca.crt    ** Verifying xxxxxxx.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (xxxxxxx.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: xxxxxxx.crt: OK
** Copying xxxxxxx.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

However.. I found where the command fails, read the log and it states:

Code:

[root@mail 20101116]# cat /tmp/zmcertmgr.F31510
No certificate matches private key

And, when I try to import the certificate without the ca certificate chain it just...works.... :

Code:

[root@mail 20101116]# /opt/zimbra/bin/zmcertmgr deploycrt comm xxxxxxx.crt
** Verifying xxxxxxx.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (xxxxxxx.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: xxxxxxx.crt: OK
** Copying xxxxxxx.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

However this doesn't make my certificate valid because the chain doesn't gets installed.... any help will be appreciated

Thank you

PS: Using ZCS 6.0.8 with Patch 2685 applied.

[phoenix]

You should update your forum profile with the correct version information from the command:

Code:

zmcontrol -v

Have you tried some of the solutions in the forums: site:zimbra.com +"No certificate matches private key" +solved - Yahoo! Search Results It would also help, when posting certificate problems, if you mention which type or Certificate you're trying to install.

[ppaixao]

Profile updated.

Thanks

[demenskan]

I had the same problem, and what it worked was mixing the intermediate CA's file as long as the origin's root CA file (in my case: verisign) with the CAT command (cat intermediate.crt root.crt > ca.crt) and using the result file as the CA's certificate.


cheers!