Zimbra

inigoml · #1 (**permalink**) 09-30-2006, 11:24 AM

After browsing this forums, internet and others, I finally simplified the process of importing existing certificates (for example those created by your own internal authority that you want to reuse) into a running zimbra installation.

1- First, we have to convert existing certificates (stored in PEM or DER format) into a single pkcs12 file format. Set password to zimbra.

openssl pkcs12 -inkey mail.key -in mail.crt -export -out mail.pkcs12

2- Then, we have to create a new keystore and replace existing one. To create this new keystore, we can use this small java source. Compile it with javac.

javac -cp /opt/zimbra/java/lib/tools.jar AddCertToKeystore.java
java -cp /opt/zimbra/java/lib/tools.jar:. AddCertToKeystore

Source: (replace "mail" with your server certificate name)
----
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.Certificate;
import java.util.Enumeration;

class AddCertToKeystore
{

public static void main(String[] args) throws Exception
{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

// Load the pfx file containing Certificate + Private Key
KeyStore temp = KeyStore.getInstance("PKCS12", "SunJSSE");
temp.load(new FileInputStream("mail.pkcs12"), "zimbra".toCharArray());

// Create a new Keystore
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, "zimbra".toCharArray());

// Find the alias name of the certificate from the pfx file
Enumeration aliasNames = temp.aliases();
String alias = (String) aliasNames.nextElement();

// Get the certificate chain from .pfx
Certificate c[] = temp.getCertificateChain(alias);
Key key = temp.getKey(alias, "zimbra".toCharArray());

// Store the Private Key + Certificate Chain in the Keystore
keyStore.setKeyEntry("tomcat", key, "zimbra".toCharArray(), c);

// Create the Keystore
keyStore.store(new FileOutputStream("keystore-new"), "zimbra".toCharArray());
}
}
---

3) Copy the newly created keystore-new to /opt/zimbra/tomcat/conf/keystore, replacing existing one (I recommend backup it before).

4) Copy your existing certificates (mail.crt and mail.key) to /opt/zimbra/conf/smtpd.crt and /opt/zimbra/conf/smtpd.key if you want to enable TLS in postfix with same certificates. I also recommend backup it before replacing.

5) Restart zimbra. (zmcontrol stop; zmcontrol start)

phoenix · #2 (**permalink**) 09-30-2006, 11:36 AM

Thanks for posting that, is this not covered by the wiki articles here and here on certificates? Apologies if it's not that but I don't have much to do with certificates.

If your information is in addition to that would you mind putting a copy in the wiki and a description of the problem it fixes.

inigoml · #3 (**permalink**) 09-30-2006, 05:08 PM

Well, it's covered but not completely. There is some issue about using jetty tool for a jks creation that has been moved or deleted from jetty package. I have problems with this issue due to dependency of a third party tool, and with this source code it's very easy to create an specific script for importing certificates.

jonnyRo · #4 (**permalink**) 10-02-2006, 08:43 AM

My notes using IBM Keyman

I've had great luck with IBM KeyMan. (I used a spare windows box to do the KeyMan stuff)

The existing SSL certs that we have for raydiance came from the vendor in PEM format.

I would like to convert them to a format that the Tomcat aplications server can use so that we can run a signed cert on zimbra.raydiance-inc.com

Some of the examples over at wiki.zimbra.com mention some java code involving Jetty, which is a Java HTTP server. Apparently some of the code that is a part of Jetty can convert a PKCS12 cert to a java keystore format. OpenSSL does the conversion from PEM to PKCS12. You can get Jetty Here:

http://heanet.dl.sourceforge.net/sou...etty-6.0.1.zip (yea, the class names must have changed, because i was unable to use this)

The Zimbra wiki article that I am working with is here:
http://wiki.zimbra.com/index.php?tit...omcat_.2F_Java

It works! My notes
-------------------------------
Convert the PEM format certificates to PKCS12 as per the zimbra wiki page.
Then use the IBM KeyMan utility as follows. (note when keyman opens multiple windows, they can talk to each other, so dont think everything has to happen in the same window)
1. Open up the pkcs12 certificate in one window.
2. Open another window and create a new keystore called zimbra_new_keystore. Save it to a file.
3. Go to the window with the PKCS12 certificate, and click export. It will ask you to where, and you tell it to put it in the keystore you created (it will be in a dropdown now), make sure to include private keys.
4. Go back to the zimbra_new_keystore window, you will note that there is a cert in here now, the one you exported from the PKCS12 store.
5. Now save the zimbra_new_keystore , this will write it out to the filename you previously set up.

Woohoo, now you have a complete zimbra_keystore, although the alias will be some random number, not "1" like on the zimbra wiki page

Copy this file back to your zimbra machine, we're going to need to do some keytool magic. Lets see what's in our nifty new keystore file shall we?

keytool -list -keystore ./zimbra_new_keystore

You will get back a listing that looks like this (after entering the password "zimbra").
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

alias, Sep 28, 2006, keyEntry,
Certificate fingerprint (MD5): 00:00:00:00:00:00

D:00:00:00

The alias might be some random number, you need the whole alias without the comma at the end. Then run the following command to move it over to a new alias. oldalias is the wierd numeric automatic alias.

keytool -keystore ./zimbra_new_keystore -keyclone -alias oldalias -dest tomcat

Now if you list the keystore, using the following command, you will see both aliases.

keytool -list -keystore ./zimba_new_keystore

You should delete the old alias

keytool -delete -alias oldalias -keystore ./keystore

Now the cert is all shiny and ready, lets backup the old zimbra keystore and move in the new one, making sure to duplicate the permissions and ownership exactly. Let us proceed with great haste!

mv zimbra_new_keystore /opt/zimbra/tomcat/conf/
cd /opt/zimbra/tomcat/conf/
mv keystore keystore.bak
mv zimbra_new_keystore keystore
chmod 664 keystore

#now restart zimbra
zmcontrol stop
zmcontrol start

bquinata · #5 (**permalink**) 01-31-2007, 01:16 PM

Your post is exactly what I'm looking for. Unfortunately, I can't get past the first task:

javac -cp /opt/zimbra/java/lib/tools.jar addCertToKeystore.java

I continue to get the following error:

error: cannot read: addCertToKeyStore.java
1 error

I'm executing it as zimbra.

Is there an obvious solution to my first hurdle? By no means am I familiar with java.

Ben

bquinata · #6 (**permalink**) 01-31-2007, 02:31 PM

got too excited and over looks that "small" portion of your post labeled source.

*peter@mxtoolbox.com* · #7 (**permalink**) 02-25-2007, 07:29 AM

I'm not 100% confident in my understanding of all the pieces in play when installing a cert in ZCS, so I would love it if somebody could clear this up for me.

I followed the instructions on installing a commercial cert for my initial Zimbra server and it worked like a charm. Now what I need to do is to take that same cert and install it on a new server. I'm created documentation and procedures on how to rebuild our server for disaster recovery.

I have a clean install of Zimbra and the .crt file that my certificate authority gave me. What other files or pieces do I need to copy from my initial server to install this certificate on a new server?

If I follow all of the steps on installing a new commercial cert it says that the request doesn't match the certificate. If I skip the step to create a CSR, well, that doesn't work either. I just bomb the installation when I restart tomcat.

In order to follow the instructions on this post, I need. the my.key which I am not sure lives on my initial server. Is it /opt/zimbra/conf/my.key?

Any clarification would be great.

kirme3 · #8 (**permalink**) 02-25-2007, 07:38 AM

You'll need /opt/zimbra/ssl/ssl/commercial.keystore from the original. Wouldn't hurt tho have commercial.csr also. You really just need to copy commercial.keystore to the same location on the new server and to /opt/zimbra/tomcat/conf/keystore. Restart tomcat and you should be golden.

One thing I've noticed in doing this is the certs get reset during upgrades, so I know something is missing still, but it does work. I've just learned to keep a backup of all my ssl info and after an upgrade copy them back.