Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: [SOLVED] Installing existing SSL certificates (solved)

  1. #11
    bobby is offline Zimbra Employee
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    >exactly which files do I need to put in my backup set to be safe?
    The default certificate files:
    /opt/zimbra/tomcat/conf/keystore
    /opt/zimbra/conf/*{crt,key,pem}

    If you have a self-signed certificate or have added any certificates to the cacerts keystore, save it also:
    /opt/zimbra/java/jre/lib/security/cacerts (linux)
    or /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts (Max OS X)
    Last edited by bobby; 06-27-2007 at 02:25 PM.

  2. #12
    jbnance is offline Junior Member
    Join Date
    Feb 2007
    Posts
    6
    Rep Power
    8

    Default CA Validation Fails

    Hi,
    Thanks for the great instructions. Things are almost working perfectly. When users visit the ssl version of the web ui their browsers are reporting that they do no recognize the CA which issued the certificate. The correct cert is being displayed, and I imported the CA's certificate (DigiCert) into the "cacerts" keystore (and restarted tomcat), but it just isn't working. I tried importing it into both tomcat/conf/keystore and java/jre/lib/security/cacerts without luck. I tried deleting the "my_ca" entry in cacerts, I tried calling DigiCerts CA cert "my_ca" in both keystores, but still can't get it to work.

    Ideas?

    j

  3. #13
    peter@mxtoolbox.com is offline Partner (VAR/HSP)
    Join Date
    Feb 2007
    Location
    Austin, TX
    Posts
    110
    Rep Power
    8

    Default

    I think the problem is that the browser does not have your signer built in, but you should confirm with your provider to see if that is the case. There's not much you can do for the general public, but you can install the root cert for your specific signer (or your own) into your users browsers so they do not get this error.

    I'm not an SSL expert, but I think this is the problem.
    Peter LeBlond
    Product Development Engineer
    http://www.mxtoolbox.com


  4. #14
    jbnance is offline Junior Member
    Join Date
    Feb 2007
    Posts
    6
    Rep Power
    8

    Default

    Hi Peter,
    Thanks, but unfortunately, no, that's not the correct solution. Part of the SSL handshake is to verify the certificate itself against the signer's (CA's) cert, so the server sends the CA's info along with other things (such as expiriation date). Without this step, anyone could pretend to be anyone else, and all you would end up with would be an encrypted connection to a bogus website. You can find more information about this process here:

    How does SSL work? Easy to understand SSL Certificate and HTTPS

    In the Apache httpd world, you clear up these issues by adding the CA (the certificate signer) to the ca-bundle (SSLCACertificateFile) or directory (SSLCACertificatePath). From what I understand, in the Tomcat world this is analogous to adding the CA cert to the "cacerts" keystore in the JRE's lib/security path. However, for some reason, this isn't working, so I'm assuming there is a step I'm missing.

    j

  5. #15
    Drumpie is offline Starter Member
    Join Date
    Jul 2007
    Posts
    1
    Rep Power
    8

    Default Decend keystore management tool

    For all you folks trying to import certificates/keys/CAcerts into a keystore, I can recommend Keytool IUI Plus KeyTool IUI. Create/manage keys & certificates, sign/verify/encrypt/decrypt files using a GUI.

    After spending atleast two days trying to get our own CA certificate and certificate for the mailserver in to a keystore file (using IBM's key tool, openssl and keytool), this tool did it within a few minutes.

    Cheers.

  6. #16
    jeepville is offline Active Member
    Join Date
    Jul 2007
    Location
    Indiana
    Posts
    45
    Rep Power
    8

    Default

    Thanks for the post the IBM Keyman method worked great for me!
    Last edited by jeepville; 08-10-2007 at 07:19 AM.

  7. #17
    worldofnic is offline Starter Member
    Join Date
    Aug 2007
    Location
    Reading, UK
    Posts
    2
    Rep Power
    8

    Unhappy Anyone got this working with a DigiCert yet?

    And to compound matters, I'm using one of their wildcard certs... which work fine with Apache httpd.

    I've created a keystore using their instructions at: SSL Certificate Installation - Tomcat Servers but this just causes Tomcat to throw multiple exceptions. ie. It's not right! (From catalina.out:
    Code:
    java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    )


    Code:
    [zimbra@mail2 tmp]$ keytool -v -list -keystore /opt/zimbra/tomcat/conf/keystore  
    Enter keystore password:  xxxxxx
    
    Keystore type: jks
    Keystore provider: SUN
    
    Your keystore contains 3 entries
    
    Alias name: root
    Creation date: Aug 9, 2007
    Entry type: trustedCertEntry
    
    Owner: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Serial number: 374ad243
    Valid from: Tue May 25 17:09:40 BST 1999 until: Sat May 25 17:39:40 BST 2019
    Certificate fingerprints:
             MD5:  DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
             SHA1: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
    
    
    *******************************************
    *******************************************
    
    
    Alias name: tomcat
    Creation date: Aug 9, 2007
    Entry type: trustedCertEntry
    
    Owner: CN=*.our.domain, O=My Employer, L=Town, ST=County, C=gb
    Issuer: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Valid from: Wed Mar 07 00:00:00 GMT 2007 until: Wed Mar 05 23:59:59 GMT 2008
    Certificate fingerprints:
             MD5:  xx:xx:...
             SHA1: xx:xx...
    
    
    *******************************************
    *******************************************
    
    
    Alias name: digicert
    Creation date: Aug 9, 2007
    Entry type: trustedCertEntry
    
    Owner: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
    Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
    Serial number: 4286aba0
    Valid from: Fri Jul 14 18:10:28 BST 2006 until: Mon Jul 14 18:40:28 BST 2014
    Certificate fingerprints:
             MD5:  FB:14:1E:91:00:CA:CB:77:D8:01:62:D8:8C:B8:84:48
             SHA1: 25:B7:8E:B9:36:A4:00:CE:34:13:1D:9A:6D:E8:BE:A0:4B:34:76:07
    
    
    *******************************************
    *******************************************
    I mean, it looks right to me, but I just can't get it working.

    If I have a keystore containing just the wildcard cert, then the server runs properly, but obviously, all clients complain as they don't know to trust DigiCert.

    Any help appreciated.
    nic

  8. #18
    jeepville is offline Active Member
    Join Date
    Jul 2007
    Location
    Indiana
    Posts
    45
    Rep Power
    8

    Default

    Well I thought it was working great but it appears that the smtp cert didnt get changed my outlook (2007 so I cant run the connector yet) still asks me to verify connecting when sending a mail. It used to ask when it checked for the first time everyday which it doesnt do anymore so I know the pop3 cert changed. Any clue as to why the smtp one did not?

    Thanks

    Josh

  9. #19
    fdsadmin is offline Member
    Join Date
    May 2007
    Location
    England
    Posts
    13
    Rep Power
    8

    Default

    Quote Originally Posted by inigoml View Post
    After browsing this forums, internet and others, I finally simplified the process of importing existing certificates (for example those created by your own internal authority that you want to reuse) into a running zimbra installation.
    Perfect! Thanks for the information

  10. #20
    mledford is offline Junior Member
    Join Date
    Jul 2007
    Posts
    7
    Rep Power
    8

    Default Chained Certificates Importing

    Quote Originally Posted by jbnance View Post
    Hi,
    Things are almost working perfectly. When users visit the ssl version of the web ui their browsers are reporting that they do no recognize the CA which issued the certificate. The correct cert is being displayed, and I imported the CA's certificate (DigiCert) into the "cacerts" keystore (and restarted tomcat), but it just isn't working.
    I was having the same problem you were with the cert being recognized but for some reason not traversing the chain tree. When I did the following...

    zimbra$ keytool -v -list -keystore keystore

    I noticed the output said:

    Certificate chain length: 1

    Hmm, since I can't import with keytool I can't specify the -trustcacerts which basically says 'additional certificates are considered for the chain of trust'. So what I need to do is find a way to include the intermediate cert during the creation of the keystore. The best way to do this is during the conversion to pkcs12 format... so for those of you trying to import certificates from CAs with intermediate certificates this does the trick.

    certificate.key is the private key.
    certificate.crt is the signed certificate.
    intermediateCertificate.crt is the intermediate certificate (the one who signed the certificate.crt)

    1) openssl pkcs12 -inkey certificate.key -in certificate.crt -export -out certificate.pkcs12 -certfile intermediateCertificate.crt
    2) Use AddCertToKeystore.java as laid out...

    It should all work out well as long as the root is in your system's cacerts.

    Also, it appears looking at man pkcs12 that -certfile can contain more than one certificate (if your signer has two or more intermediates to root).

    Michael

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  2. Commercial SSL Certificates and IMAP/POP
    By manthrax3 in forum Administrators
    Replies: 8
    Last Post: 10-27-2007, 04:43 PM
  3. Smartphone preference for zimbra?
    By jonnyRo in forum Zimbra Mobile
    Replies: 5
    Last Post: 10-27-2006, 08:04 AM
  4. Installing on existing server
    By robscovell in forum Installation
    Replies: 2
    Last Post: 03-06-2006, 01:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •