ZCS: SSL certificates approaching expiration!

[mludwig]

Hi,

in my inbox I have a mail from zimbra which says that the certificates willl expire soon.
To avoid this, the release notes for 7.1.2 say on page 10 to run these commands:

Code:

sudo zmcertmgr createca -new
sudo zmcertmgr deployca
sudo zmcertmgr deploycrt self -new

As this didn't work with the zimbra user I found this thread here in the forum:

Zimbra user password???

In this thread phoenix said that the commands could as well be run as root.
So I did this.

This is what I did:

Code:

root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt self -new
Can't deploy cert for -new.  Unknown service.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~#

Is that okay?
Zimbra is still running, but I'm afraid of the new restart... :-)

Michael

[phoenix]

Quote:

Originally Posted by mludwig

As this didn't work with the zimbra user I found this thread here in the forum:

Zimbra user password???

In this thread phoenix said that the commands could as well be run as root.

You're actually mis-quoting me. For clarification, my comment in that thread was in relation to becoming the Zimbra user not about generating the certificates.

Quote:

Originally Posted by mludwig

Is that okay?
Zimbra is still running, but I'm afraid of the new restart... :-)

There should be no problems, for future reference the details of generating the Certificates are here: Administration Console and CLI Certificate Tools - Zimbra :: Wiki

[mludwig]

Hi phoenix, sorry for misquoting you. :-)
Thank you again for your help and the link to the wiki. :-)

[phoenix]

Quote:

Originally Posted by mludwig

Hi phoenix, sorry for misquoting you. :-)

That's OK, the clarification was just for anyone else reading this thread.

Quote:

Originally Posted by mludwig

Thank you again for your help and the link to the wiki. :-)

You're welcome.

[mludwig]

Good morning,

it's me again.

Quote:

Originally Posted by phoenix

There should be no problems, [...]

After the daily restart there were still the old certificates installed in zimbra which were valid till 09/29/2011.

Quote:

Originally Posted by phoenix

for future reference the details of generating the Certificates are here: Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Taking the new Wiki article as a source of information everything worked fine. Now (after a restart of the system) I have the newly generated certificates running, valid till 2012.
So that's it, I'm running fine with the new certs now.

Michael