Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Commercial SSL Certificate with ZCS 8.0.5 - Error "Keysize should be at least 2048"

  1. #1
    pdeclerc is offline New Member
    Join Date
    Dec 2013
    Location
    Belgium
    Posts
    4
    Rep Power
    1

    Default Commercial SSL Certificate with ZCS 8.0.5 - Error "Keysize should be at least 2048"

    Hello,

    I'm trying to deploy a commercial SSL certificate on a newly installed zcs Open source v 8.0.5.

    Trying to introduce the CSR generated from the administration console or the CLI with several SSL CA's I systematically get the error that the key size should be at least 2048Bits.

    I found a provider www.sslcertificaten.nl which allows me to introduce the CSR before paying, and every time I try I get the same error message.

    I tried all the different possibilities there are, including a on-line generated server key (instead of the one provided on the server itself) private key and CA Chain, all in vain.

    Frustrated I'm going to deploy a new ZCS 7 install, and do an upgrade to ZCS 8 and try again.
    Any ideas what could be wrong?

    Thanks,
    Peter Declercq

  2. #2
    pdeclerc is offline New Member
    Join Date
    Dec 2013
    Location
    Belgium
    Posts
    4
    Rep Power
    1

    Default

    For info, with ZCS 7.2.5 the CSR created via the administration console is accepted without an issue.

  3. #3
    pdeclerc is offline New Member
    Join Date
    Dec 2013
    Location
    Belgium
    Posts
    4
    Rep Power
    1

    Default

    After upgrade from ZCS 7.2.5 to 8.0.5 creating a new CSR it is refused by the Certificate authority, again with the keylength error.
    As I have several users complaining that with MS Outlook they get a SSL warning everytime they start outlook.
    This test means that if I upgrade a ZCS 7 to 8 with an existing SSL Cert It will not be possible to generate a new one!

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Quote Originally Posted by pdeclerc View Post
    After upgrade from ZCS 7.2.5 to 8.0.5 creating a new CSR it is refused by the Certificate authority, again with the keylength error.
    As I have several users complaining that with MS Outlook they get a SSL warning everytime they start outlook.
    This test means that if I upgrade a ZCS 7 to 8 with an existing SSL Cert It will not be possible to generate a new one!
    The existing Zimbra scripts run behind the Admin Console use a 1024-bit key length; you'll need to create the CSR via the command line and specify the 2048-bit key length.

    Here's the wiki article: https://wiki.zimbra.com/wiki/Adminis...tificate_Tools

    In the example command line to create the Certificate Signing Request for a commercial certificate, just include " -keysize 2048" after the "-new" parameter and you should be all set.

    Hope that helps,
    Mark

  5. #5
    pdeclerc is offline New Member
    Join Date
    Dec 2013
    Location
    Belgium
    Posts
    4
    Rep Power
    1

    Default

    Hi,

    Zimbra support provided me with the following command:

    /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=US/ST=STATE/L=LOCATION/O=ORGINIZATION/CN=SERVERNAME.COM" -subjectAltNames SERVERNAME2.COM

    After this the CSR was accepted.
    Strange that in ZCS 7.2.5 the procedure via de web management interface worked fine, and in 8.0.5 it doesn't. The web interface allows you to change the keylength to 2048.

    Anyway: Solved

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Just to note, that the default key size has been upgraded to 2048 in 8.0.6.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    BarBaar is offline Active Member
    Join Date
    Dec 2007
    Posts
    36
    Rep Power
    7

    Default

    Quote Originally Posted by quanah View Post
    Just to note, that the default key size has been upgraded to 2048 in 8.0.6.
    Sorry, just noticed the adminpage is still rendering a 1024bit key. The option op 2048 is available, but doesn't seem to work.

    I also think it would be nice to add 4096 as key size.

  8. #8
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    If you use zmcertmgr, you can specify whatever keysize you want. I do not advise using the admin console for certs.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #9
    tiagoaviz is offline Starter Member
    Join Date
    Feb 2013
    Posts
    2
    Rep Power
    2

    Default

    Just had this problem here.

    It would be nice if the GUI was corrected to generate 2048-bit CSRs. Much simpler to do this.

  10. #10
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Quote Originally Posted by tiagoaviz View Post
    Just had this problem here.

    It would be nice if the GUI was corrected to generate 2048-bit CSRs. Much simpler to do this.
    To my recollection this is scheduled to be fixed in 8.0.7, but with pm.zimbra.com still not fully functional, I can't confirm.

    Hope that helps,
    Mark

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 11-11-2012, 11:46 PM
  2. commercial SSL certificate and key size > 2048 bit
    By j.eason in forum Administrators
    Replies: 0
    Last Post: 06-29-2012, 02:55 PM
  3. Replies: 0
    Last Post: 08-09-2010, 08:54 AM
  4. Annoying "Re" and "AW" error in german translation
    By simplyfat in forum I18N/L10N - Translations
    Replies: 2
    Last Post: 07-06-2008, 06:42 PM
  5. Replies: 0
    Last Post: 01-20-2008, 01:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •