Generating New Self-Signed Certs and CA- Multiple Servers

[acammarota]

I have a 2 NE Release 6.0.7_GA_2473 server installation with a master LDAP and a Replica. All the procedures I found for updating the CA and cert does not specify in which server do what, can anybody give me a procedure for updating the self-signed cert and CA in a Multiple Server install?

I lost ldap replication after updating from the Administration Console Certificates Tools. Then followed the procedure described for the CLI from VMware KB: Managing certificates with the Zimbra Collaboration Server Administration Console and CLI tools but still not working.

Thanks!

[ypong]

If you mean the internal certs that expire after 1 year, this worked for me:
as root, on the ldap master only, create a new 10 year CA:
/opt/zimbra/bin/zmcertmgr createca -new -days 3650
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver
This command should now install the CA cert to each of your other mail servers, the output looks something like this, for each server that it iterates through:

Code:

STARTCMD: mail07.mydomain.org sudo /opt/zimbra/bin/zmcertmgr deploycrt self

** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: mail07.mydomain.org sudo /opt/zimbra/bin/zmcertmgr deploycrt self

Check on each server, that your CA cert stuff in /opt/zimbra/ssl/zimbra/ca/ is updated, if not, you might have to manually copy them over from your LDAP master.

Then on each of your mail servers, run these to create the cert proper:
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self

Hope this helps.