Concatenate the root and intermediaries files?

[webaj]

Can someone please explain how to Concatenate the root and intermediaries files found here

How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

[dijichi2]

try
cat file1 file2 >file3

[webaj]

Quote:

Originally Posted by dijichi2

try
cat file1 file2 >file3

I made the file and followed the wiki for command line install. Here is my error

Error loading file cont.crt
15510:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:746:
15510:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:b y_file.c:280:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_ check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.

[quanah]

Quote:

Originally Posted by webaj

I made the file and followed the wiki for command line install. Here is my error

Don't concat the certs. Individual x509 hashes need to be made of each cert in the chain.

--Quanah

[webaj]

Quote:

Originally Posted by quanah

Don't concat the certs. Individual x509 hashes need to be made of each cert in the chain.

--Quanah

How do I make x509 hashes? Why does Zimbra make this so damn hard?

[webaj]

Solved.

I will write directions on how to use Digicert soon.

[quanah]

Quote:

Originally Posted by webaj

Why does Zimbra make this so damn hard?

It isn't "Zimbra" making it hard. It's the way the SSL software (OpenSSL specifically) works.

And sorry, I misread what you were doing. You do have to initically concat them for zmcertmgr to split them apart and generate the hashes.

--Quanah

[webaj]

Quote:

Originally Posted by quanah

It isn't "Zimbra" making it hard. It's the way the SSL software (OpenSSL specifically) works.
--Quanah

I have to disagree with that. SSL setup on many other systems is much easier. Probably due to good documentation.

I accomplished the task with 4 commands. Only 1 is in the wiki and the 3 others are spread thought the forums and required modification.

I will make a how to in case other people are using Digicert.

[bdial]

webaj did you post your digicert instructions anywhere yet?

I have a *.domain.com wildcart cert as well, currently working for my webserver at www.domain.com. I copied the domain.com.crt , domain.com.key and DigiCert.crt file to the zimbra server to /opt/zimbra/ssl/zimbra/commercial/

I ran
./zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/domain.com.crt /opt/zimbra/ssl/zimbra/commercial/DigiCertCA.crt

but it complained about there being no commercial.key so i renamed my domain.com.key file to commercial.key and reran the command but now I get

** Verifying /opt/zimbra/ssl/zimbra/commercial/domain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/domain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/domain.com.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
error 2 at 1 depth lookup:unable to get issuer certificate
XXXXX ERROR: provided cert isn't valid.

I agree a bit with the complicated part. I consider myself pretty brave but a lot of the wiki's involve doing things I'm afraid I'd be unable to undo if something went wrong.

[bdial]

ah, duh. i forgot to append the root cert to the bottom of digicert,crt