[SOLVED] Rolling Your Own CA and Installing Certificates in Zimbra

[bango]

Zimbra makes it almost seamless when it comes to installing some default certificates to getting SSL-based IMAP and SMTP working. I was hoping to take it a step further. I've read the wiki page on Commercial Certificates, but after following the directions, I got myself in a mess (big surprise). Luckily I had backed everything up prior to messing around.

What I'm trying to do is create and install the necessary certificate(s) into Zimbra manually. I run my own internal Certificate Authority (via OS X Certificate Assistant) and generate certificates for all my internal services (e.g., email, web, jabber, etc). But I'm fairly certain I'm confused at this point on how many I need to create and how to properly import them into all the right places.

Essentially, at least at this point, I've created and signed a certificate for 'myhost.mydomain.com'. My options for exporting from Apple's Certificate Assistant are as follows:

1) Export certificate and private key to .p12 format
2) Export certificate in .cer or .pem and export private key in .p12 format

If needed, I can convert the .p12 private key file converted to .pem.

At this point, I'm stuck. If anyone can help, I have a few questions that might assist me in getting further along than I did last night.

1) How many certificates/keys does Zimbra use to make everything work. Keep in mind I need ssl for https, imap, and smtp.

2) What is the role of the keystore in /opt/zimbra/tomcat/conf/keystore?

3) Is there anyway to leverage the zminstallcert script to automagically install my own custom certs and make the right things happen?

4) Are there a better set of instruction someone can give me to help solve this issue?

Thanks in advance for any help on this!

As food for thought in a future version of Zimbra, it would be awesome if there was a screen within the Zimbra administration interface that allowed you to paste the private key and public key contents and have that import everything into the right places. Openfire (previously Wildfire) has this functionality in its hidden import-certificate.jsp page. More details here.

[bango]

So I worked on sorting this out manually and came up with some results that I thought others might benefit from, so here goes.

Here are the tools you need to be intimately familiar with.
1) openssl
2) keytool

Here are the commands to be familiar with

Generate a new key within the keystore
keytool -genkey -alias tomcat -keypass zimbra -keystore keystore -validity 3650 -keyalg RSA -keysize 2048

Generate a certificate signing request (once you generate a key in the keystore)
keytool -certreq -file tomcat.csr -alias tomcat -keystore keystore

Import a Certificate Authority certificate
keytool -import -file my-ca.pem -keystore keystore -alias my-ca

Import your tomcat certificate after being signed by a CA
keytool -import -file tomcat.cer -keystore keystore -alias tomcat

Delete an entry in the keystore
keytool -delete -alias my-ca -keystore keystore

Set a keystore password
keytool -keypasswd -alias tomcat -keystore keystore

Convert p12 to pem format
openssl pkcs12 -in myfile.p12 -out myfile.pem -nodes -nocerts

More here:
keytool-Key and Certificate Management Tool

Certificates and Private Keys
1) OpenLDAP
- /opt/zimbra/conf/slapd.key
- /opt/zimbra/conf/slapd.crt

2) Perdition
- /opt/zimbra/conf/perdition.pem
- /opt/zimbra/conf/perdition.key

3) SMTPD
- /opt/zimbra/conf/smtpd.crt
- /opt/zimbra/conf/smtpd.key

4) Certificate Authority
- /opt/zimbra/ssl/ssl/ca/ca.pem
- /opt/zimbra/ssl/ssl/ca/ca.key

5) Server (not sure?)
- /opt/zimbra/ssl/ssl/server/server.key
- /opt/zimbra/ssl/ssl/server/server.crt

6) Tomcat
- /opt/zimbra/ssl/ssl/server/tomcat.crt
- /opt/zimbra/tomcat/conf/keystore (contains tomcat cert/privkey entry)

The first thing I did is try and figure out what each of these certificates was used for and if they were all a single certificate with a different filename, or something else. As it turns out, to get everything working with your own certificates, you ust deal with at least three certificates and their corresponding private keys.

Three certificates you need to be familiar with.
1) Tomcat certificate
- /opt/zimbra/ssl/ssl/server/tomcat.crt
- /opt/zimbra/tomcat/conf/keystore

2) Certificate Authority certificate
- /opt/zimbra/ssl/ssl/ca/ca.pem
- /opt/zimbra/ssl/ssl/ca/ca.key (only needed if you sign certs on the local system)

3) Certificate used by other services (e.g., imap, slapd, smtpd, etc)
- /opt/zimbra/conf/slapd.crt
- /opt/zimbra/conf/slapd.key
- /opt/zimbra/conf/perdition.pem
- /opt/zimbra/conf/perdition.key
- /opt/zimbra/conf/smtpd.crt
- /opt/zimbra/conf/smtpd.key
- /opt/zimbra/ssl/ssl/server/server.crt
- /opt/zimbra/ssl/ssl/server/server.key

Note: The certificates and corresponding keys are all the same for those in (3) right above. So once you create the .crt and .key file, you just copy it to a new name a few times. Hope that makes sense.

General procedure I followed for getting this all working (some you might have to do as root).
1) Stop zimbra services via 'zmcontrol stop'

2) Make a backup of zimbra 'cp -R /opt/zimbra /opt/zimbra.bkp'

3) Delete all keys currently in keystore. Typically, this is just the tomcat entry. Here's how you'd delete a single key with the alias name 'tomcat'.
keytool -delete -alias tomcat -keystore keystore

4) Generate a new key with an alias of tomcat
keytool -genkey -alias tomcat -keypass zimbra -keystore keystore -validity 3650 -keyalg RSA -keysize 2048

5) Export the key from the keystore as a certificate signing request
keytool -certreq -file tomcat.csr -alias tomcat -keystore keystore

6) Sign the certificate (with your own, or another CA). I don't have an exact procedure here since everyone might do it differently. You'll need to export that signed certificate (assuming tomcat.cer) and the CA certificate (assuming my-ca.pem) that signed it in PEM format.

7) Import the certificate authority certificate into the keystore. This is sometimes required so that when you import your signed certificate in the next step, you don't get an error about the certificate chain.
keytool -import -file my-ca.pem -keystore keystore -alias my-ca

8) Import the signed certificate back into the keystore
keytool -import -file tomcat.cer -keystore keystore -alias tomcat

9) Delete the certificate authority certificate, since you don't really need it afterwards once the key has been imported:
keytool -delete -alias my-ca -keystore keystore

10) Install the CA certificate in PEM format
Copy the CA cert to /opt/zimbra/ssl/ssl/ca/ca.pem

Next, you have to generate a certificate and have it signed by a certificate authority (yours or an external one). This will be the certificate used by those "other services". I'm not going to go into those details, but when all is said and done, you need to have the certificate and its corresponding key in PEM format. That's where the next steps pick up.

11) Update the following files to contain the contents of the certificate you just created:
- /opt/zimbra/conf/slapd.crt
- /opt/zimbra/conf/perdition.pem
- /opt/zimbra/conf/smtpd.crt
- /opt/zimbra/ssl/ssl/server/server.crt

Note: The contents of all these files should be the same.

12) Update the following files to contain the contents of your certificate's private key:
- /opt/zimbra/conf/slapd.key
- /opt/zimbra/conf/perdition.key
- /opt/zimbra/conf/smtpd.key
- /opt/zimbra/ssl/ssl/server/server.key

Note: The contents of all these files should be the same.

At this point, you have:
- Generated a certificate for use by tomcat, had it signed, and updated your keystore to contain that certificate and corresponding private key (without the help of zmcreateca or zminstallcert).
- Installed the certificate authority public certificate into the right place
- Installed all the .key and .crt files necessary for "other services".

Next up, you should probably fix the permissions.

13) Update Zimbra permissions
/opt/zimbra/libexec/zmfixperms

14) Restart zimbra (as zimbra user)
zmcontrol start

Hopefully everything comes back online and works with the new certificates. It worked for me, but I'm sure many of you have way more complex configurations than I do. I'll try to keep an eye on this thread and post updates to this as people comment. Hope this was helpful, this took about 20 hours of my life to figure out :-)