Need help t install SSL Certificate from old server that wasn't backed up please

[kazooless]

Hello,

My hard drive fried itself and I stupidly did not have a backup at all.

I installed a brand new install of Zimbra 7.1 open source on Ubuntu 10.04 64-bit. My prior install was Ubuntu 8.04 64-bit with 6.0.xx.

I have the current.csr from the old server and the certificates from StartSSL. I know how to do this if I made a brand new request to the provider and they gave me a brand new certificate. However, I don't know how to tell my current server to use the old CSR.

Can anybody tell me how to do this? It seems all the wiki and forum information is mainly on how to do a restore from backup or a new request/import.

Thank you,

kazooless

[onze]

Hello,
I will assume this is a commercial cert.
Try to find the following files in the old server,
commercial_ca.crt / commercial.csr / commercial.key

I have used this steps to install a cacert,

Backup and Clean Current Certs
<code>su - root
cd /opt/zimbra/ssl/zimbra/commercial/
tar -czvf /tmp/ssl.commercial.backup.tar.gz *
rm -rf *</code>

Generate new csr (certificate request)
<code>/opt/zimbra/bin/zmcertmgr createcsr comm -new</code>

This uses the defaults, change according
<code>/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=Department/CN=mail.domain.com"</code>

Verify files presence,
<code>ls -la</code>

Should list,
commercial_ca.crt / commercial.csr / commercial.key

Cat the csr and submit to cacert.org,
<code>cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr</code>

Result,
<code> -----BEGIN CERTIFICATE REQUEST-----
[delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0Ex DDAKBgNV
[delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3Vp dGUxIzAh
[delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQ DExttYWls
[delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQA DgY0AMIGJ
[delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m
[delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8G hpqHO0Y75
[delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq
[delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqG SIb3DQEB
[delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT
[delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy
[delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi
-----END CERTIFICATE REQUEST-----</code>

Paste the cert generated by cacert.org,
<code>nano /opt/zimbra/ssl/zimbra/commercial/commercial.crt</code>

Get cacert root.crt and class3.crt and cat both in one file
<code>cat root.crt class3.crt > commercial_ca.crt</code>

<code>/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key ./commercial.crt ./commercial_ca.crt </code>

If the output looks good, you can deploy the certificate via this command:

<code>/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt</code>

The final step would be to restart the zimbra services for the change to take effect.

[kazooless]

Onze,

Thank you for the quick reply. The problem is that I don't have any access to the file system of the dead hard drive, so I can't get the actual files that were in /opt/zimbra directory.

What I do have is the CSR that the old server generated which is what I copied and pasted to the commercial cert provider. I also have the certificate that the commercial provider gave me in response to the CSR the old server generated. (Yes, this is a commercial cert. It is from StartSSL and there is a wiki and plenty of forum posts about this particular provider.)

So, are you saying I should generate a new CSR with the new server, but then there is a way to replace the newly generated CSR with the old CSR? I am sure if I create a new CSR, then the hash and all that won't match with the cert they provided to me for the old CSR. So I need the new server to use the old CSR to match up with the already provided certs.

Does that make better sense what my problem is?

kazoo

[kazooless]

Yup, unless someone can tell me otherwise, it looks like I need more than just the old CSR. It looks like I need the old commercial.key (Private Key) as well. I could kick myself for not getting at least an initial backup when I finished the full install. Ugh.

This is what I get when I try to import the commercial certificate with the old and the new CSR:

root@mail:~/ssl# cd /opt/zimbra/bin
root@mail:/opt/zimbra/bin# ./zmcertmgr deploycrt comm /home/jeff/ssl/ssl.crt /home/jeff/ssl/ca_bundle.crt
** Verifying /home/jeff/ssl/ssl.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/home/jeff/ssl/ssl.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid

.

This is from following step number 5 on this wiki: Installing a StartSSL SSL Certificate with zmcertmgr - Zimbra :: Wiki

So, I guess I'm back to making another request with StartSSL. Unfortunately, even though they are free for your cert, if you have to revoke a cert and redeploy then they charge you. Live and learn.

Before I do, does anybody have any information that might tell me I'm wrong and there is a way to deploy with the old CSR but not the old private key?

kazoo

[onze]

Hello,
Have you considered cacert.org?

Regards

[kazooless]

That looks pretty cool. I didn't know about them. I just went ahead and paid to revoke the old cert. They did it quickly and I quickly made and successfully installed a new one. Live and learn.

I have a backup now of all the documents, and I am in the middle of working through all the documentation regarding an automated backup of the open source product.

Thanks for the help!

kazoo