Certificates for multiple domains

[iain]

I have a Zimbra server hosting multiple, unrelated, domains. Users connect by pointing their web browsers at their own domain.

Can I set up a certificate to cover the different domains, or do I need one certificate per domain?

[Coilcore]

This is a complex question because the answer is not so straight forward.

Two of the purposes for certificates are encryption and host validation. You can always use one cert for multiple domains and you will get the encryption part of this process. But the host validation will not be correct, for example the cert is signed for 'mail.domain.com', so a request to 'mail.example.com' will not match the hostname, and will consequently trigger a warning. Assuming users ignore this warning they will still get the encryption part of the TSL.

Getting a warning is no small thing. Many small footprint clients will not even prompt on a warning, they will simply fail (this is common on mobile browsers). Additionally many users are not sophisticated enough to understand what the warning means, so they will not proceed.

Considering you will also generate a warning with most self signed certs it may not be an issue, if you were going to go this route anyway.

If on the other hand you want to purchase multiple certificates, I will tell you that configuring this is not so simple. Apache cannot do name-based virtual hosting with multiple certs, so if you want to go this route you will have to do IP based virtual hosting, which gets much more involved (mapping multiple IPs to one NIC, etc), which you will likely have to do a lot of surgury on Zimbra apache instance to make work.

[cree13]

Follow the instructions here ---
http://wiki.zimbra.com/index.php?tit...icate_Problems

pay special attention to this line

Quote:

If you wish to have several names on the certificate, supply them as arguments

zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

[DanCody]

I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

Anyone have this working for multi hostname machines?

Dan

Quote:

Originally Posted by cree13

Follow the instructions here ---
http://wiki.zimbra.com/index.php?tit...icate_Problems

pay special attention to this line

[DanCody]

bumping this

Quote:

Originally Posted by DanCody

I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

Anyone have this working for multi hostname machines?

Dan

[zaf]

Also interested in a resolution for this. IE7 gives a nasty error message that most users assume can't be gotten past. I blame IE for making such a menacing error page, but it sure would be nice to have a way around it.

[htin]

I’m trying to create ca cert by following this link http://wiki.zimbra.com/index.php?tit...28as_zimbra.29. But why my data won’t change for ‘/C= /O= /OU=’. Here is result.

Code:

[zimbra@zimbra ~]$ zmcreatecert
** Importing CA

Certificate was added to keystore
** Creating keystore

** Creating server cert request

Generating a 1024 bit RSA private key
.++++++
..........................................++++++
unable to write 'random state'
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request

Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            11:75:29:08:97
        Validity
            Not Before: Mar 30 21:41:39 2007 GMT
            Not After : Mar 28 21:41:39 2012 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = N/A
            organizationName          = Myorg Intl.
            organizationalUnitName    = Myorg
            commonName                = zimbra.myorg.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            C1:28:E7:0E:EF:04:2A:2E:C5:48:B4:E6:C8:DD:39:B1:A3:33:DD:A3
            X509v3 Authority Key Identifier:
            DirName:/C=CA/ST=N/A/L=N/A/O=Myorg Intl./OU=Myorg/CN=zimbra.myorg.com
            serial:00

            X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until Mar 28 21:41:39 2012 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zimbra.myorg.com
Getting CA Private Key
unable to write 'random state'

Am I doing something wrong?
Thanks!

[jholder]

Search the wiki for that term.
I think you'll find your answer

[mrfileio]

So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?

This seems to be contrary to KevinH's posting here:
3.2/Virtual Domains/SSL Certificates
where he states "I think that is correct. Please file this in bugzilla, as support for multiple domains/certs is the right way to go."

I understand this may be a limitation of the underlying software, e.g. tomcat, but I just want to be certain that if a hosting provider wanted to offer Zimbra to business A at https: //acme.com and business B at https: //bingo.com using the same Zimbra instance, this is currently not possible.

[htin]

Even in one domain with one cert, I still can’t change the data of ‘/C= /O= /OU=’ to my own as my previous post in this thread. Still using default as ‘zimbra’, not ‘myorg’. Anyone has changed successfully? Please help!

Hk