[SOLVED] export certificate to zimbra

[diegolcf]

hi folks,

i already read tutorials about import certificates to zimbra in wiki, but i don't get import the certificates from my external openldap server, that authenticate zimbra users , so when i check the option to use ssl, a series of warms shows in the debug box, alert me that certificate is not valid...

i configured my certicates and CA as follow, using openssl:

#generate CA
$ /usr/lib/ssl/misc/CA.pl -newca

#generate certificates
$ /usr/lib/ssl/misc/CA.pl -newreq

# so i have the private key (newkey.pem), and the public key (newreq.pem)

#i sign the certificate
$ /usr/lib/ssl/misc/CA.pl -sign

# this generate a sign public key called newcert.pem

# now i remove the password from private key
$ openssl rsa -in newkey.pem -out newkey.nopass.pem

# In final i have this files
newcert.pem newkey.nopass.pem newkey.pem newreq.pem

# and my ca is called cacert.pem

in slapd.conf i set TLSVerifyClient as never...

so folks, how can i solve this problem ?

ps. sorry about my english

[diegolcf]

i use this command to import certificate
/opt/zimbra/java/bin/keytool -import -file cacert.pem -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias <alias>

and shows this message
keytool error: java.lang.Exception: Input not an X.509 certificate

[diegolcf]

it's quite simple to solve this problem....

1) first convert a CA certificate to DER format
$openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER

2) then, make a import
$ /opt/zimbra/java/bin/keytool -import -file cacert.der -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias <alias>

ps. forum administrator, please, help-me to change the title of this post, the correct is import zimbra certificate, not export certificate

[maumar]

can be used this for comercial certs?
i am having trouble to import a commercial rapid ssl cert, the error is the same:

Code:

/opt/zimbra/log/scripts/rapid-ssl ]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/log/scripts/rapid-ssl/commercial.crt /opt/zimbra/log/scripts/rapid-ssl/commercial_ca.crt 
** Verifying /opt/zimbra/log/scripts/rapid-ssl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/log/scripts/rapid-ssl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/log/scripts/rapid-ssl/commercial.crt: OK
** Copying /opt/zimbra/log/scripts/rapid-ssl/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/log/scripts/rapid-ssl/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...failed.
XXXXX ERROR: failed to import certficate.

Errore keytool: java.lang.Exception: L'input non è un certificato X.509

the commercial rapid was one with 1024 bits, and is expired just yesterday

[maumar]

Quote:

Originally Posted by diegolcf

$ /opt/zimbra/java/bin/keytool -import -file cacert.der -keystore /opt/zimbra/java/jre/lib/security/cacerts -alias <alias>

what should be used as alias?
what do you used?

tia

[maumar]

there was a 0a as first char of commercial_ca.crt, glub ;(