Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: [SOLVED] Installing existing SSL certificates (solved)

  1. #1
    inigoml's Avatar
    inigoml is offline Project Contributor
    Join Date
    Aug 2006
    Location
    Madrid, Spain
    Posts
    124
    Rep Power
    8

    Thumbs up [SOLVED] Installing existing SSL certificates (solved)

    After browsing this forums, internet and others, I finally simplified the process of importing existing certificates (for example those created by your own internal authority that you want to reuse) into a running zimbra installation.

    1- First, we have to convert existing certificates (stored in PEM or DER format) into a single pkcs12 file format. Set password to zimbra.

    openssl pkcs12 -inkey mail.key -in mail.crt -export -out mail.pkcs12

    2- Then, we have to create a new keystore and replace existing one. To create this new keystore, we can use this small java source. Compile it with javac.

    javac -cp /opt/zimbra/java/lib/tools.jar AddCertToKeystore.java
    java -cp /opt/zimbra/java/lib/tools.jar:. AddCertToKeystore

    Source: (replace "mail" with your server certificate name)
    ----
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.security.Key;
    import java.security.KeyStore;
    import java.security.Security;
    import java.security.cert.Certificate;
    import java.util.Enumeration;

    class AddCertToKeystore
    {

    public static void main(String[] args) throws Exception
    {
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

    // Load the pfx file containing Certificate + Private Key
    KeyStore temp = KeyStore.getInstance("PKCS12", "SunJSSE");
    temp.load(new FileInputStream("mail.pkcs12"), "zimbra".toCharArray());

    // Create a new Keystore
    KeyStore keyStore = KeyStore.getInstance("JKS");
    keyStore.load(null, "zimbra".toCharArray());

    // Find the alias name of the certificate from the pfx file
    Enumeration aliasNames = temp.aliases();
    String alias = (String) aliasNames.nextElement();

    // Get the certificate chain from .pfx
    Certificate c[] = temp.getCertificateChain(alias);
    Key key = temp.getKey(alias, "zimbra".toCharArray());

    // Store the Private Key + Certificate Chain in the Keystore
    keyStore.setKeyEntry("tomcat", key, "zimbra".toCharArray(), c);

    // Create the Keystore
    keyStore.store(new FileOutputStream("keystore-new"), "zimbra".toCharArray());
    }
    }
    ---

    3) Copy the newly created keystore-new to /opt/zimbra/tomcat/conf/keystore, replacing existing one (I recommend backup it before).

    4) Copy your existing certificates (mail.crt and mail.key) to /opt/zimbra/conf/smtpd.crt and /opt/zimbra/conf/smtpd.key if you want to enable TLS in postfix with same certificates. I also recommend backup it before replacing.

    5) Restart zimbra. (zmcontrol stop; zmcontrol start)

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Thanks for posting that, is this not covered by the wiki articles here and here on certificates? Apologies if it's not that but I don't have much to do with certificates.

    If your information is in addition to that would you mind putting a copy in the wiki and a description of the problem it fixes.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    inigoml's Avatar
    inigoml is offline Project Contributor
    Join Date
    Aug 2006
    Location
    Madrid, Spain
    Posts
    124
    Rep Power
    8

    Default Half covered

    Well, it's covered but not completely. There is some issue about using jetty tool for a jks creation that has been moved or deleted from jetty package. I have problems with this issue due to dependency of a third party tool, and with this source code it's very easy to create an specific script for importing certificates.

  4. #4
    jonnyRo is offline Project Contributor
    Join Date
    Jan 2006
    Posts
    88
    Rep Power
    9

    Default

    My notes using IBM Keyman

    I've had great luck with IBM KeyMan. (I used a spare windows box to do the KeyMan stuff)

    The existing SSL certs that we have for raydiance came from the vendor in PEM format.

    I would like to convert them to a format that the Tomcat aplications server can use so that we can run a signed cert on zimbra.raydiance-inc.com

    Some of the examples over at wiki.zimbra.com mention some java code involving Jetty, which is a Java HTTP server. Apparently some of the code that is a part of Jetty can convert a PKCS12 cert to a java keystore format. OpenSSL does the conversion from PEM to PKCS12. You can get Jetty Here:

    http://heanet.dl.sourceforge.net/sou...etty-6.0.1.zip (yea, the class names must have changed, because i was unable to use this)

    The Zimbra wiki article that I am working with is here:
    http://wiki.zimbra.com/index.php?tit...omcat_.2F_Java


    It works! My notes
    -------------------------------
    Convert the PEM format certificates to PKCS12 as per the zimbra wiki page.
    Then use the IBM KeyMan utility as follows. (note when keyman opens multiple windows, they can talk to each other, so dont think everything has to happen in the same window)
    1. Open up the pkcs12 certificate in one window.
    2. Open another window and create a new keystore called zimbra_new_keystore. Save it to a file.
    3. Go to the window with the PKCS12 certificate, and click export. It will ask you to where, and you tell it to put it in the keystore you created (it will be in a dropdown now), make sure to include private keys.
    4. Go back to the zimbra_new_keystore window, you will note that there is a cert in here now, the one you exported from the PKCS12 store.
    5. Now save the zimbra_new_keystore , this will write it out to the filename you previously set up.

    Woohoo, now you have a complete zimbra_keystore, although the alias will be some random number, not "1" like on the zimbra wiki page

    Copy this file back to your zimbra machine, we're going to need to do some keytool magic. Lets see what's in our nifty new keystore file shall we?

    keytool -list -keystore ./zimbra_new_keystore

    You will get back a listing that looks like this (after entering the password "zimbra").
    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    alias, Sep 28, 2006, keyEntry,
    Certificate fingerprint (MD5): 00:00:00:00:00:00D:00:00:00

    The alias might be some random number, you need the whole alias without the comma at the end. Then run the following command to move it over to a new alias. oldalias is the wierd numeric automatic alias.

    keytool -keystore ./zimbra_new_keystore -keyclone -alias oldalias -dest tomcat

    Now if you list the keystore, using the following command, you will see both aliases.

    keytool -list -keystore ./zimba_new_keystore

    You should delete the old alias

    keytool -delete -alias oldalias -keystore ./keystore

    Now the cert is all shiny and ready, lets backup the old zimbra keystore and move in the new one, making sure to duplicate the permissions and ownership exactly. Let us proceed with great haste!

    mv zimbra_new_keystore /opt/zimbra/tomcat/conf/
    cd /opt/zimbra/tomcat/conf/
    mv keystore keystore.bak
    mv zimbra_new_keystore keystore
    chmod 664 keystore

    #now restart zimbra
    zmcontrol stop
    zmcontrol start

  5. #5
    bquinata is offline Trained Alumni
    Join Date
    May 2006
    Location
    Arizona
    Posts
    17
    Rep Power
    9

    Default javac throwing error

    Your post is exactly what I'm looking for. Unfortunately, I can't get past the first task:

    javac -cp /opt/zimbra/java/lib/tools.jar addCertToKeystore.java

    I continue to get the following error:

    error: cannot read: addCertToKeyStore.java
    1 error

    I'm executing it as zimbra.

    Is there an obvious solution to my first hurdle? By no means am I familiar with java.

    Ben

  6. #6
    bquinata is offline Trained Alumni
    Join Date
    May 2006
    Location
    Arizona
    Posts
    17
    Rep Power
    9

    Default My Bad

    got too excited and over looks that "small" portion of your post labeled source.


  7. #7
    peter@mxtoolbox.com is offline Partner (VAR/HSP)
    Join Date
    Feb 2007
    Location
    Austin, TX
    Posts
    110
    Rep Power
    8

    Default Is this for me?

    I'm not 100% confident in my understanding of all the pieces in play when installing a cert in ZCS, so I would love it if somebody could clear this up for me.

    I followed the instructions on installing a commercial cert for my initial Zimbra server and it worked like a charm. Now what I need to do is to take that same cert and install it on a new server. I'm created documentation and procedures on how to rebuild our server for disaster recovery.

    I have a clean install of Zimbra and the .crt file that my certificate authority gave me. What other files or pieces do I need to copy from my initial server to install this certificate on a new server?

    If I follow all of the steps on installing a new commercial cert it says that the request doesn't match the certificate. If I skip the step to create a CSR, well, that doesn't work either. I just bomb the installation when I restart tomcat.

    In order to follow the instructions on this post, I need. the my.key which I am not sure lives on my initial server. Is it /opt/zimbra/conf/my.key?

    Any clarification would be great.

  8. #8
    kirme3 is offline Trained Alumni
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default

    You'll need /opt/zimbra/ssl/ssl/commercial.keystore from the original. Wouldn't hurt tho have commercial.csr also. You really just need to copy commercial.keystore to the same location on the new server and to /opt/zimbra/tomcat/conf/keystore. Restart tomcat and you should be golden.

    One thing I've noticed in doing this is the certs get reset during upgrades, so I know something is missing still, but it does work. I've just learned to keep a backup of all my ssl info and after an upgrade copy them back.

  9. #9
    peter@mxtoolbox.com is offline Partner (VAR/HSP)
    Join Date
    Feb 2007
    Location
    Austin, TX
    Posts
    110
    Rep Power
    8

    Default Can you define your SSL backup set please

    Okay, so from my good machine, exactly which files do I need to put in my backup set to be safe?

    Thanks a lot, this is very helpful,

    Peter

  10. #10
    norbertmilejczak Guest

    Default

    jonnyRo, your instructions worked like a charm with wildcard rapidssl certificate. Thank you for taking time posting IBM tool and detailed steps.

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  2. Commercial SSL Certificates and IMAP/POP
    By manthrax3 in forum Administrators
    Replies: 8
    Last Post: 10-27-2007, 04:43 PM
  3. Smartphone preference for zimbra?
    By jonnyRo in forum Zimbra Mobile
    Replies: 5
    Last Post: 10-27-2006, 08:04 AM
  4. Installing on existing server
    By robscovell in forum Installation
    Replies: 2
    Last Post: 03-06-2006, 01:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •