Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Information about zimbra certificate management

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-30-2011, 01:05 AM
Junior Member
  
Posts: 8
Default Information about zimbra certificate management
Hi

I need some informations about how Zimbra manages self signed certificates.

I have found the following:
Source (?):
/opt/zimbra/ssl/zimbra/ca
/opt/zimbra/ssl/zimbra/server
/opt/zimbra/ssl/zimbra/commercial (uninteresting, we use self signed ones)

Destination (?):
/opt/zimbra/conf/ca
/opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/smtpd.crt
/opt/zimbra/conf/nginx.crt


"slapd.crt", "smtpd.crt" and "nginx.crt" are the same file (copied).
The source of this certificates seems to be "/opt/zimbra/ssl/zimbra/server/server.crt"

"/opt/zimbra/conf/ca/ca.pem" ist the same file like "/opt/zimbra/ssl/zimbra/ca/ca.pem".

It seems for me:
All self signed certificates are created in "/opt/zimbra/ssl/zimbra/" and copied to the conf directory ("/opt/zimbra/conf/").


1) How does zimbra use/control this certificates?
2) What does zimbra if an zertificate expires? (Auto recreate?)
3) On Master/Slave Systems "/opt/zimbra/conf/ca/ca.pem" have to be the same file on every node. Else the tls ldap connection fails.
How does zimbra manage this if the certificates expire?
4) The ca certificate is only valid one year. Is it possible to set this time higher? Is it possible to change the keysize and hash algorithms? Is there a config file ?
5) Why does zimbra give me on the admin webui the possibility to set the time for the server certificate to 10 years but only creates an ca certificate that is valid for one year? If the ca expires also the server certificate is invalid.

yogg
Reply With Quote
  #2 (permalink)  
Old 03-31-2011, 04:49 AM
Junior Member
  
Posts: 8
Default
I have now made some tests.

It seems on a single server installation there are absolute no problems if an certificate is invalid. I can't find any problems.
Zimbra does also not automatically renew the certificates.

On a Master/Slave system invalid certificates are a problem. All slaves connect to the master LDAP server over tls encryption.
If the certificate of the master is invalid the connections fail.
Also all Slaves need the ca certificate of the master in "/opt/zimbra/conf/ca".
The Problem here is zimbra does not automatically redeploy the certificate if it gets invalid.
After an year the LDAP replication stops without any warning. I think it would be good if the administrator gets an mail or something else.

I check now all certificates with an Nagios script.


I have also now checked the zmcertmgr script now. If I change some variables direct in the script I can create certificates with longer keys and other options.

But I would be happy if someone who knows some more details about the system can post here.
Are there any limitations in the zimbra System?
Something like zimbra only supports keys with a maximum length of 2048 bits, only md5 and sha1 are supported, ...
I hope there are none

yogg
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.