Results 1 to 6 of 6

Thread: Installing SSL Cert question/issues with ZCS 8

  1. #1
    Stephen J is offline Member
    Join Date
    Dec 2011
    Posts
    13
    Rep Power
    3

    Default Installing SSL Cert question/issues with ZCS 8

    I have an x.509 Certificate, an RSA Private Key and an Intermediate CA Certificate. All in PEM format. They are valid, wildcard certificates and were provided to me by our web developers. I am installing Zimbra 8.0 NE and need to get that certificate installed. Why do they require the generation of a CSR. I generated one and now it is asking for Certificate, Root CA and Intermediate CA. I can't determine how those correlate to what I have. A little clarifying direction would be appreciated.

    Thanks,
    Stephen

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,484
    Rep Power
    56

    Default

    Take a look at the wiki article on Certificate Tools.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Stephen J is offline Member
    Join Date
    Dec 2011
    Posts
    13
    Rep Power
    3

    Default

    Thanks for the pointer Phoenix. I read through that and attempted to use the information without success. I found this post on the forums which looked to be exactly what I needed. [SOLVED] how to install separate external SSL certificate?
    I followed those instructions very carefully. I copied my cert and key into the /opt/zimbra/ssl/zimbra/commercial/ directory. I renamed them commercial.crt, commercial.key then I cat'd the GeoTrust_Global_CA.cer with the QuickSSL_CA_Bundle.pem and renamed them to commercial_ca.crt. I also tried just using the Equifax_Secure_Certificate_Authority.cer renamed to commercial_ca.crt. I received the following error when trying to run "zmcertmgr verifycrt comm commercial.crt commercial_ca.crt" with either scenario.

    ** Verifying commercial_ca.crt against commercial.crt
    unable to load Private Key
    140226276013736:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:696:Expecting: ANY PRIVATE KEY
    XXXXX ERROR: Unmatching certificate (commercial_ca.crt) and private key (commercial.crt) pair.

    The error seems to be referring to a problem with the private key. I know the private key that I put in the ../commercial folder is correct because I got the whole package from our website admins today. So, this is my theory. I did generate a csr at first since the Zimbra GUI would not let me get to the cert upload screen without it. I moved all the files from the ../zimbra/commercial/ folder into a backup and replaced them with the files I had. I am wondering if the private key that was generated by the GUI is saved somewhere else in the system and that is what it is attempting to load. (shrug)
    When I run zmcertmgr verifycrtchain commercial_ca.crt commercial.crt it returns "unable to get local issuer certificate".


    Thanks in advance,
    Stephen

  4. #4
    cavj1 is offline Active Member
    Join Date
    Jul 2011
    Location
    NY
    Posts
    40
    Rep Power
    3

    Default

    Stephen...

    Were you able to figure this out? I have the root and intermediate certs from RapidSSL (GeoTrust) and I have a bunch of different certs that they provide for webservers, plesk, apache, etc. When I try to use the GUI to install the cert it tells me I must choose a certificate file. All files are crt files and when opening show that they are a certificate file. The error does not make any sense. I have a support ticket open but they have been slow to respond. Would like to resolve this sooner than later and I need to keep this project moving forward.

    Thanks
    Joe

  5. #5
    Stephen J is offline Member
    Join Date
    Dec 2011
    Posts
    13
    Rep Power
    3

    Default

    Yes, I did get it figured out. I was going to post the result but hadn't had a chance yet. I will do it now while it is fresh.

    The answer to the problem in my first post is this link Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    If you already have the Certs and Keys, skip the first 2 steps. You will need to have your Root and intermediate certificates, your .crt and your .key file all copied to the server. SCP is a good way to do this. Uploading them isn't really possible, or at least easy using the GUI, if there is a way. I know the GUI does not provide for uploading a previously obtained key so that will have to be done via scp or equivalent. The instructions assume you generated a .csr. When you generate the csr (certificate signing request) it creates a private key file in the ../commercial/ folder. Delete this and copy your .key file to the folder. You can also delete the .csr file. Follow the directions from there. You will need to SCP your Root CA, your crt and any intermediate CAs into this folder. Just follow the instructions.

    My second post outlined a very simple and obvious problem in the form of a typo. I was trying to verify the commercial.crt against the commercial_ca.crt. verifycrt is for verifying the commercial.crt against he commercial.key.

    Stephen

  6. #6
    cavj1 is offline Active Member
    Join Date
    Jul 2011
    Location
    NY
    Posts
    40
    Rep Power
    3

    Default

    Thank you for your reply. Your directions were the same that RapidSSL (GeoTrust) sent me when I e-mailed support. The only issue I did run into was at the end of my commercial certificate I had to put a carriage return as the -----BEGIN----- for the intermediate certificate when combined was starting on the wrong line.

    Thanks again...
    Joe

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing SSL Cert to Zimbra 7.0
    By wifi_guy in forum Installation
    Replies: 0
    Last Post: 03-27-2011, 03:59 PM
  2. installing a thawte ssl cert
    By richardw in forum Administrators
    Replies: 0
    Last Post: 01-27-2011, 02:03 PM
  3. installing a thawte ssl cert
    By richardw in forum Installation
    Replies: 0
    Last Post: 01-27-2011, 02:03 PM
  4. Having GoDaddy cert issues after cert expired
    By jongra in forum Administrators
    Replies: 0
    Last Post: 06-14-2009, 08:17 PM
  5. Question installing commercial SSL cert
    By jigi in forum Administrators
    Replies: 0
    Last Post: 02-13-2006, 12:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •