Results 1 to 10 of 10

Thread: CA https

  1. #1
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Default CA https

    Hi,
    is it possible to set the certificate expiry date on the zimbra server longer than 365
    days e.g. 3650 days??

    thanks,
    Padraig.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Yes, it's been covered in the forums do a quick search.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Smile

    excellent solution @
    http://wiki.zimbra.com/index.php?tit...icate_Problems
    thanks,
    phoenix

  4. #4
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Question default_days

    Hi,

    I tried these steps and all seemed to work
    i updated the default_days in /opt/zimbra/conf/zmssl.cnf.in to 3650 and the generated cert seems to have the correct expry date.

    yet whem i go to my web page https://myzimba/
    and examine the cert it says it will expire in 365 days.

    any ideas??
    TIA,
    Padraig.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Did you restart tomcat?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Default

    yes,
    i also rebooted the server but the cert is just for 365 days
    i also deleted all zimbra certs on by broweser

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Have a look at this script and check your expiry with that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Default

    Thanks phoenix,
    the cert on my server IS for a year 365 days see:

    keytool -list -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -v -storepass changeit
    Owner: O=Zimbra Collaboration Suite, L=N/A, ST=N/A, C=US
    Issuer: O=Zimbra Collaboration Suite, L=N/A, ST=N/A, C=US
    Serial number: 0
    Valid from: Tue Nov 14 14:46:21 GMT 2006 until: Wed Nov 14 14:46:21 GMT 2007

    keytool -list -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -v -storepass zimbra
    Alias name: tomcat
    Creation date: Nov 14, 2006
    Entry type: keyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=localhost, OU=Zimbra, O=Zimbra, L=NA, ST=NA, C=US
    Issuer: O=Zimbra Collaboration Suite, L=N/A, ST=N/A, C=US
    Serial number: 3
    Valid from: Tue Nov 14 14:46:25 GMT 2006 until: Wed Nov 14 14:46:25 GMT 2007

    howerver when i use zmcreatecert:

    zmcreatecert
    ** Importing CA

    Certificate was added to keystore
    ** Creating keystore

    ** Creating server cert request

    Generating a 1024 bit RSA private key
    .................................................. ++++++
    ..............++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request

    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 2 (0x2)
    Validity
    Not Before: Nov 14 15:21:55 2006 GMT
    Not After : Nov 11 15:21:55 2016 GMT
    Subject:
    countryName = US
    stateOrProvinceName = N/A
    organizationName = Zimbra Collaboration Suite
    commonName = localhost
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:

    X509v3 Authority Key Identifier:
    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite
    serial:00

    X509v3 Key Usage:
    Digital Signature, Non Repudiation, Key Encipherment
    Certificate is to be certified until Nov 11 15:21:55 2016 GMT (3650 days)

    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=localhost
    Getting CA Private Key
    unable to write 'random state'


    then i issue:
    zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt

    zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key

    zmcontrol stop
    zmcontrol start

  9. #9
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    8

    Thumbs down

    its a bug !

    "-days 365" is hardcoded into:
    zmcreateca and zmcreatecert

    default_days in /opt/zimbra/conf/zmssl.cnf.in is ignored
    see:
    http://bugzilla.zimbra.com/show_bug.cgi?id=12228

  10. #10
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Shame. Don't forget to vote on that bug if you want to add your weight to it's resolution.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. https ???
    By CatiaL in forum Administrators
    Replies: 7
    Last Post: 09-16-2009, 06:47 PM
  2. https & Newbie Question
    By swu in forum Administrators
    Replies: 5
    Last Post: 04-17-2007, 07:07 AM
  3. HTTPS problem
    By EnglishDude in forum Installation
    Replies: 5
    Last Post: 11-25-2006, 08:40 AM
  4. Switching From Https to Http Protocol in JSP
    By Shyam in forum Administrators
    Replies: 1
    Last Post: 10-10-2006, 06:58 AM
  5. Changing browser access from HTTPS to Both HTTPS and HTTP
    By kelley.ch in forum Administrators
    Replies: 5
    Last Post: 09-18-2006, 11:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •