[SOLVED] Commercial Certificate - Thawte - ZC5

[orenagiv]

Hey,

I've tried to install a new commercial certificate on ZC5.
I used the Administration wizard to generate the relevant CSR, purchased the cert' through THAWTE and got my commercial certificate.
(I used 'TOMCAT' when required by Thawte to choose the server software).
The received cert' from Thawte is in a PKCS7 format.

When I tried to install the new cert' from the Zimbra Cert' Wizard - I got an error:
"Unmatching certificate and private key pair".

I suppose that the PKCS7 format is NOT the correct format...

Does anyone know what might be the reason for this "mis-match"?
Does anyone know what is the required cert' format (what to choose in THAWTE)?

THx in advance for you help! :-)

[alexkelly]

We use Thawte SPKI for our commercial certs. When I downloaded the cert I chose "Standard Certificate Format".

The other key part is that you have to add the Root and intermediate certs. To do that, you have to download the root certificates to add to the certificate chain. You can download them from Thawte's Root Download page

That will give you a zip file that contains all of their root certificates. You should choose "Thawte Primary Root CA/Thawte_Primary_Root_CA.txt" for the root CA.

Then you will have to choose the intermediate cert that matches your cert. In our case this was "Thawte Server Roots/ThawtePremiumServerCA_b64.txt.

If you don't know what your intermediate cert is, you can save your cert to a file and find out (assuming you have a Linux box w/ openssl installed) by doing:

Code:

openssl x509 -text -noout -in cert.file

and look for the CN in the issuer, then find the appropriate intermediate cert.

[orenagiv]

First - thanks for the quick and thorough response.

Unfortunately, I couldn't install the cert' via the GUI.
I did exactly what you described, but received this:
Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12

I first thought it was a permission problem.. then maybe even a BUG.. but couldn't solve it.

So, after gathering piece-by-piece from the net - here are step-by-step instructions - how to install a Thawte commercial certificate on Zimbra 5 (ZC5):

1. Create a CSR (Certificate Request) with the Zimbra Admin GUI.
2. Submit the CSR to the CA (in our case - thawte.com).
3. When you're requested to define the 'web server software' choose: Other.
* By 'other' selected - the certificate will be of type 'x509' and will look like this:
o -----BEGIN CERTIFICATE----
o MIIDbTCCAtagAwIBAgIQQWD6TTjq....
o -----END CERTIFICATE-----
* This format (x509) is what Zimbra expects to get.
4. Once you get the Certificate from the CA, save it to a file at a TEMPORARY directory on the server (do everything as the root user):
* /root/certs/commercial.crt
5. Fill in the details and download the CA Root Certificates from SSL Digital Certificate Technical Support
* Extract the zip-file and copy the following file to the /root/certs on the server:
o thawte-roots\Thawte Primary Root CA\Thawte_Primary_Root_CA_b64.txt
* Rename this file to commercial_ca.crt.
6. Go to /root/certs and do the following:
* Verify your certificate:
o /opt/zimbra/bin/zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt
o If it doesn't go well for some reason - try to find a solution here:
+ Commercial Certificate in 5.x - Zimbra :: Wiki
* Install (deploy) your certificate:
o /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt


Note:

* When I did the deployment I got this:

* ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
* Even though one line appears to 'fail' - it worked.



Hope this will help others too and will save precious time.

Oren.