Zimbra

maumar · #1 (**permalink**) 07-24-2008, 11:33 PM

With the advent of ff3 and it's requirement for ssl trusted certs, more and more people is searching for ssl solution.

We have chosen rapidssl, and i have requested 30 days trial named freessl cert, and now i'm faced with fateful form:
Please upload the following files from your CA
Certificate
Root CA
Intermediate CA

i have my own cert, but i dunno where i can get the proper root ca cert and intermediate ca cert; i supposed the right page is this:
SSL Certificate Free SSL Certificates 128 bit

but, then, which ones?

maybe, root ca is this:
FreeSSL Root Certificate (Base-64 encoded X.509) http://www.rapidssl.com/cps/UTN.cer

maybe chained cert is this:
ChainedSSL Root Certificate (Base-64 encoded X.509)http://www.rapidssl.com/cps/rapidssl_01.cer
ChainedSSL Intermediate Root Certificate (Base-64 encoded X.509)http://www.rapidssl.com/cps/chainedssl_02.cer

but i need the exact answer before to insert certs in fateful form

Rapidssl site declare that their certs do not need Intermediate CA cert as their certs are
single root

can zimbra avoid the inetrmediate cert?
should i use CLI instead of GUI to install cert without "Intermediate CA cert"?

as usually, any help would be very apreciated

maurizio

z-user · #2 (**permalink**) 08-03-2008, 12:59 PM

Did you figure this out? I am struggling with the same. CentOS 5; ZCS 5.0 OS. Root CA should be the UTN.cer, but I get an error (invalid certificate). Weird.

maumar · #3 (**permalink**) 08-03-2008, 01:27 PM

yes, i was able

you have 3 cert:
1. The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 640.
there should be only 2 files on this dir:

Code:

ls -la /opt/zimbra/ssl/zimbra/commercial/
totale 16
drwxr----- 2 zimbra zimbra 4096  8 ott 19:21 .
drwxr----- 5 zimbra zimbra 4096 21 ago  2008 ..
-rw-r--r-- 1 root   root   1163  8 ott 15:39 commercial.csr
-rw-r----- 1 root   root   1704  8 ott 15:39 commercial.key

2. The server cert must be named commercial.crt.

3 The root cert UTN.cer:

Code:

shuld be named: commercial_ca.crt

Code:

mv utn.cer commercial_ca.crt

now, you *must* validate your certs:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt

if it is not ok, you cannot go on

for me, they are ok

the:
sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
zmcontrol stop ; zmcontrol start

done

maumar · #4 (**permalink**) 08-04-2008, 10:41 AM

i have just completed another process!

Code:

[19:36:20 root@zimbra ~/freessl ]# ls -la
totale 20
drwxr-xr-x  2 root root 4096  4 ago 19:36 .
drwxr-x--- 24 root root 4096  4 ago 19:33 ..
-rw-r--r--  1 root root 1582  4 ago 19:36 commercial_ca.crt
-rw-r--r--  1 root root 1436  4 ago 19:34 commercial.crt
[19:36:22 root@zimbra ~/freessl ]# chmod 777 *
[19:36:26 root@zimbra ~/freessl ]# chmod 740 /opt/zimbra/ssl/zimbra/commercial/commercial.key
[19:37:35 root@zimbra ~/freessl ]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
[19:38:02 root@zimbra ~/freessl ]# su - zimbra
[19:38:57 zimbra@zimbra ~ ]$ sudo zmcertmgr deploycrt comm /root/freessl/commercial.crt /root/freessl/commercial_ca.crt
** Verifying /root/freessl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/freessl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/freessl/commercial.crt: OK
** Copying /root/freessl/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/freessl/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

alauppe · #5 (**permalink**) 05-18-2010, 07:32 AM

So, I had this same problem except I wasn't using FreeSSL, so I needed to use the other Root CA.

http://www.rapidssl.com/cps/rapidssl_01.cer

Unfortunately for me, that particular certificate file doesn't use the right new-lines/line-feeds and zimbra didn't like it, even when following the instructions above.

So, I had to lookup the standard formatting, and manually adjust it. Here is what I came up with.

Code:

When I used that for commercial_ca.crt (in the instructions above) I was able to load the certificate, even through the GUI.

jdeproost · #6 (**permalink**) 06-02-2010, 12:50 PM

Just want to say thanks, description given by Maumar and cert by Alaupe work like a charm!!

Thanks guys!

Johnny

alauppe · #7 (**permalink**) 11-15-2010, 11:14 AM

I wanted to post that I used the certificate posted above (by me) again today and it still works. $10 ssl certs from cheapssls.com + zimbra = win.

My $0.02.

teilo · #8 (**permalink**) 01-17-2011, 04:26 PM

Just a note to let you know that RapidSSL upgraded their infrastructure to 2048 bits in December of 2010. The certificates listed above are no longer valid.

When RapidSSL issues you a certificate, they will send you the intermediate certificate only. They do not send you the root certificate. To make matters even worse, the links in the email they send you take you to the OLD root and intermediate certificates. At the time of this post, the RapidSSL website has yet to be updated. It still has the old, outdated intermediate and root certificates. You cannot find the root CA certificate there unless you happen to catch one of their news posts which link you to a test server which shows you the correct root CA, at this bizarre address: https://ssltest12.bbtest.net/

Ugg!

In case this is not clear from the emails in this post: Zimbra does not play well with a certificate chain. It will not verify the certificates if you have the root and intermediate certificates in separate files. In order to make this work, you must append the intermediate certificate to the root certificate, and save that in a single file.

Here is what you need to have as your commercial_ca.crt file for Zimbra to be happy when provisioning from the command line:

Code:

Note that this is the Geotrust root cert combined with the RapidSSL intermediate cert.

Using this, you can complete the steps mentioned in this post above: verification and provisioning. It worked for me, anyway. I hope this is of help to others also.

batfastad · #9 (**permalink**) 04-12-2011, 01:20 AM

teilo you are a lifesaver!

Had to renew our RapidSSL cert today and the procedure I used last year was no longer working.
The Geotrust root combined with the RapidSSL intermediate above worked perfectly

maumar · #10 (**permalink**) 04-18-2011, 03:04 AM

i am trying to renew a cert expired yesterday with no success, this is the link
[SOLVED] export certificate to zimbra

Zimbra

Downloads

Product Information

Toolbox

Why Join?