ZCS: SSL certificates approaching expiration!

[mludwig]

Hi,

in my inbox I have a mail from zimbra which says that the certificates willl expire soon.
To avoid this, the release notes for 7.1.2 say on page 10 to run these commands:

Code:

sudo zmcertmgr createca -new
sudo zmcertmgr deployca
sudo zmcertmgr deploycrt self -new

As this didn't work with the zimbra user I found this thread here in the forum:

Zimbra user password???

In this thread phoenix said that the commands could as well be run as root.
So I did this.

This is what I did:

Code:

root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt self -new
Can't deploy cert for -new.  Unknown service.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#

Is that okay?
Zimbra is still running, but I'm afraid of the new restart... :-)

Michael

[phoenix]

As this didn't work with the zimbra user I found this thread here in the forum:

Zimbra user password???

In this thread phoenix said that the commands could as well be run as root.

You're actually mis-quoting me. For clarification, my comment in that thread was in relation to becoming the Zimbra user not about generating the certificates.

Is that okay?
Zimbra is still running, but I'm afraid of the new restart... :-)

There should be no problems, for future reference the details of generating the Certificates are here: Administration Console and CLI Certificate Tools - Zimbra :: Wiki

[mludwig]

Hi phoenix, sorry for misquoting you. :-)
Thank you again for your help and the link to the wiki. :-)

[phoenix]

Hi phoenix, sorry for misquoting you. :-)

That's OK, the clarification was just for anyone else reading this thread.

Thank you again for your help and the link to the wiki. :-)

You're welcome.

[mludwig]

Good morning,

it's me again.

There should be no problems, [...]

After the daily restart there were still the old certificates installed in zimbra which were valid till 09/29/2011.

for future reference the details of generating the Certificates are here: Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Taking the new Wiki article as a source of information everything worked fine. Now (after a restart of the system) I have the newly generated certificates running, valid till 2012.
So that's it, I'm running fine with the new certs now.

Michael