This is my Zimbra setup
MTA1 ( where Primary ldap is also ruunig )
MTA2 ( wthere Secondary ldap is also running)
Since Zimbra 7.X ships with one year certificate by default, We installed 10 year certificate with below commands.
Zimbra must be running on all nodes , then,
on mta1 ( wheere primary ldap is ruunig )
1. /opt/zimbra/bin/zmcertmgr createca -new
2. /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"
3. /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
on all 3 nodes
4. /opt/zimbra/bin/zmcertmgr viewdeployedcrt
5. on mta1 ( wheere primary ldap is ruunig )
scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mta2:/opt/zimbra/conf/ca/
scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mailbox:/opt/zimbra/conf/ca/
6. on mta1, mta2 and mailbox
/opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
5. On ALL nodes
su - zimbra -c 'zmcontrol restart'
Everythig works fine. Now, we need to install a commercial certificate?
I found below URL
multi-node commercial certificate installation?
I need a little bit help.
According to my zimbra setup having 3 servers ( mailbox.example.com, mta1.example.com and mta2.example.com ), Users want to access webmail ( i.e - https://mailbox.example.com )
For that purpose, How can I begin this ?
firtst, I have to run below command?
then, I think first, I have to create a .csr in this way ( since I have 3 servers, I need it in a Wild Card manner )
/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"
It generates 2 files commercial.key and commercial.csr
Am I right?
Should I run this command on all 3 servers or on one server and then copy those commercial.key and commercial.csr to the other 2 servers ? pls answer.
Then, I will have to send this CSR to a SSL provider to buy a commercial.crt
Am I right so far?
then, What else will I have to do?
Hope to hear from you...