ZCS 6 and Thawte 2048 bit certs

[jwhitaker]

We use Thawte for SSL certs and recently had to renew. Certs with a 2048 bit key are now required, and we had to follow something along the lines of this post to get it done:

New GeoTrust SSL certificates and Android users

where we used the newer root CA cert from Thawte and the two intermediates bundled, all in the commercial_ca.crt file - this was the only combination that would get past the verifycrt step of the zmcertmgr tool and deploy successfully. Also we had to modify the zmcertmgr tool because 1024 key size is hardcoded.

All seems OK, but we fail any SSL cert validation tools such as https://ssl-tools.verisign.com - it looks as if we should not be including the root CA cert in the file, but there's no other way to get it to pass the verification step.

Has anyone else successfully deployed a 2048 bit Thawte cert that passes
an SSL checker? Thanks.

[iway]

We have exactly the same problem. It works, but all verification tools complain about the root cert.
Mobile devices seem to accept the cert, but Windows Mobile needs to import the new cert into the device. Some Android phones also complain about the cert, as do some proxy servers.

Any suggestions anyone?

[jwhitaker]

I opened a ticket with Zimbra support and they basically told me that it appears to be working as designed as far as they are concerned and that we should talk to Thawte about it. I may try to engage them and see what they say, but my guess is that it is going to come down to finger pointing at the tooling that deploys the certs.