I am having trouble integrating my test-architecture within an existing PKI. The architecture I work on is described in this thread : Multi server installation with LDAP replication
My goal here is to get rid of Zimbra's self-signed certificates and replace them with certificates signed by my PKI. (The next goal after this integration would be to authenticate the user themselves in order to have an architecture where I have two factor authentication. (User's certificates + their logins))
I have read the wiki and browsed the forum, and the main sources of information that I could find are the following :
Category:Certificates - Zimbra :: Wiki
[SOLVED] Rolling Your Own CA and Installing Certificates in Zimbra [Outdated]
I am currently following these instructions : Administration Console and CLI Certificate Tools - Zimbra :: Wiki
I made a CSR from the admin gui (selecting "all servers"), that I signed on my PKI. I have two files : the certificate itself, and the corresponding certificate chain. I checked the response :
I moved the response to the appropriate folder :
[root@mailbox01 zimbra]# /opt/zimbra/bin/zmcertmgr verifycrtkey comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/cert.crt
** Verifying /root/cert.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/cert.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
I then tried to deploy the certificate :
[root@mailbox01 zimbra]# cp /root/cert.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
I understand that I need to install the authority corresponding to my PKI inside zimbra (as this is not a public one) but I cannot figure out where to do that...
[root@mailbox01 zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt: C = FR, ST = bla, L = foo, O = bar, CN = mailbox01.office.foo.bar
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.
Anyone have already gone through this kind of things ?