[SOLVED] Error on generating SSL cert: CSR contains key size that is not considered s

[nadsab]

Hi,

I just purchased a new SSL certificate for my ZCS install – a cert for the mail server – main server domain - not a hosted domain/account on said server - and when submitting the ZCS generated CSR to GeoTrust I got the following error:

Quote:

Invalid CSR
The CSR provided is invalid. Error code is 3022296, Error Message: Error Details: -2019: Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.

I have no problem installing other certificates for other domains on the same server though.

The difference is this time I generated the CSR via Zimbra admin so I was wondering if that might be the problem?

I usually use CLI to generate a CSR and a private key pair for the domains hosted on this server when renewing hosted domain certs, but I noticed in Zimbra admin there is no way to generate a private key so could that be the problem?

Should I generate the CSR (and privatekey) via CLI as I usually do? At present I am just using a self signed certificate for the main mail server address – I generated a new self signed cert a month ago via ZCS admin by generating a CSR via admin (but not a private main server key), and it was working fine, but want to go to a commercial cert instead.

Problem is apparently the main server cert is stored in a differet directory than my other domain certs and in zimbra admin it does not indicate where the main server cert and key and CSR are stored.

I am running ZCS version 5.0.2 and Apache MOD SSL on a Centos 5.4 server so my mod ssl is up to date.

As a foot note, the self signed cert, key and csr I generated last month are in /opt/zimbra/ssl/zimbra.20090305135257/server/

Also, there are two other directories where the newly generated CSR's is located - in:

/opt/zimbra/ssl/zimbra.20090305135257/server/server.csr
/opt/zimbra/ssl/zimbra.20090305135332/server/server.csr
/opt/zimbra/ssl/zimbra.20090423092315/server/server.csr
/opt/zimbra/ssl/zimbra.20100309142016/server/server.csr
/opt/zimbra/ssl/zimbra.20100309142035/server/server.csr
/opt/zimbra/ssl/zimbra.20110311111113/server/server.csr
/opt/zimbra/ssl/zimbra.20110311111200/server/server.csr


I tried generating a second one...

...so ZCS seems to be placing the new csr's in different directories...

also the older certs and keys are in different dirs as well:

/opt/zimbra/ssl/zimbra/server/server.key
/opt/zimbra/ssl/zimbra.20090305135257/server/server.key
/opt/zimbra/ssl/zimbra.20090305135332/server/server.key
/opt/zimbra/ssl/zimbra.20090423092315/server/server.key
/opt/zimbra/ssl/zimbra.20100309142016/server/server.key
/opt/zimbra/ssl/zimbra.20100309142035/server/server.key
/opt/zimbra/ssl/zimbra.20110311111113/server/server.key
/opt/zimbra/ssl/zimbra.20110311111200/server/server.key

/opt/zimbra/ssl/zimbra/server/server.crt
/opt/zimbra/ssl/zimbra.20090305135332/server/server.crt
/opt/zimbra/ssl/zimbra.20090423092315/server/server.crt
/opt/zimbra/ssl/zimbra.20100309142016/server/server.crt
/opt/zimbra/ssl/zimbra.20100309142035/server/server.crt
/opt/zimbra/ssl/zimbra.20110311111113/server/server.crt
/opt/zimbra/ssl/zimbra.20110311111200/server/server.crt

I was wondering if I should just go ahead and do this via CLI instead of Zimbra admin? I want to make sure I do this correctly If I remember correctly some time ago I tried to do it via CLI and could not get the commercial cert for main server address installed correctly and the mail server would not function until I did a self signed cert,even though generating certs via Command Line Interface method worked OK for my other domains.

Thanks for any insights or info.