Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Installing rapidssl certs: with rootca and chained cert

  1. #1
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    343
    Rep Power
    8

    Default Installing rapidssl certs: with rootca and chained cert

    With the advent of ff3 and it's requirement for ssl trusted certs, more and more people is searching for ssl solution.

    We have chosen rapidssl, and i have requested 30 days trial named freessl cert, and now i'm faced with fateful form:
    Please upload the following files from your CA
    Certificate
    Root CA
    Intermediate CA

    i have my own cert, but i dunno where i can get the proper root ca cert and intermediate ca cert; i supposed the right page is this:
    SSL Certificate Free SSL Certificates 128 bit

    but, then, which ones?

    maybe, root ca is this:
    FreeSSL Root Certificate (Base-64 encoded X.509) http://www.rapidssl.com/cps/UTN.cer

    maybe chained cert is this:
    ChainedSSL Root Certificate (Base-64 encoded X.509)http://www.rapidssl.com/cps/rapidssl_01.cer
    ChainedSSL Intermediate Root Certificate (Base-64 encoded X.509)http://www.rapidssl.com/cps/chainedssl_02.cer

    but i need the exact answer before to insert certs in fateful form

    Rapidssl site declare that their certs do not need Intermediate CA cert as their certs are
    single root

    can zimbra avoid the inetrmediate cert?
    should i use CLI instead of GUI to install cert without "Intermediate CA cert"?


    as usually, any help would be very apreciated

    maurizio
    Last edited by maumar; 07-24-2008 at 11:53 PM.

  2. #2
    z-user is offline Junior Member
    Join Date
    May 2008
    Posts
    9
    Rep Power
    6

    Default

    Did you figure this out? I am struggling with the same. CentOS 5; ZCS 5.0 OS. Root CA should be the UTN.cer, but I get an error (invalid certificate). Weird.

  3. #3
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    343
    Rep Power
    8

    Default rapidssl needs cli, can't be done by gui admin

    yes, i was able

    you have 3 cert:
    1. The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 640.
    there should be only 2 files on this dir:

    Code:
    ls -la /opt/zimbra/ssl/zimbra/commercial/
    totale 16
    drwxr----- 2 zimbra zimbra 4096  8 ott 19:21 .
    drwxr----- 5 zimbra zimbra 4096 21 ago  2008 ..
    -rw-r--r-- 1 root   root   1163  8 ott 15:39 commercial.csr
    -rw-r----- 1 root   root   1704  8 ott 15:39 commercial.key
    2. The server cert must be named commercial.crt.

    3 The root cert UTN.cer:

    Code:
    -----BEGIN CERTIFICATE-----
    MIIEZDCCA0ygAwIBAgIQRL4Mi1AAJLQR0zYwS8AzdzANBgkqhkiG9w0BAQUFADCB
    ozELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
    Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
    dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xKzApBgNVBAMTIlVUTi1VU0VSRmlyc3Qt
    TmV0d29yayBBcHBsaWNhdGlvbnMwHhcNOTkwNzA5MTg0ODM5WhcNMTkwNzA5MTg1
    NzQ5WjCBozELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0
    IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYD
    VQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xKzApBgNVBAMTIlVUTi1VU0VS
    Rmlyc3QtTmV0d29yayBBcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
    DwAwggEKAoIBAQCz+5Gh5DZVhawGNFugmliy+LUPBXeDrjKxdpJo7CNKyXY/45y2
    N3kDuatpjQclthln5LAbGHNhSuh+zdMvZOOmfAz6F4CjDUeJT1FxL+78P/m4FoCH
    iZMlIJpDgmkkdihZNaEdwH+DBmQWICzTSaSFtMBhf1EI+GgVkYDLpdXuOzr0hARe
    YFmnjDRy7rh4xdE7EkpvfmUnuaRVxblvQ6TFHSyZwFKkeEwVs0CYCGtDxgGwenv1
    axwiP8vv/6jQOkt2FZ7S0cYu49tXGzKiuG/ohqY/cKvlcJKrRB5AUPuco2LkbG6g
    yN7igEL66S/ozjIEj3yNtxyjNTwV3Z7DrpelAgMBAAGjgZEwgY4wCwYDVR0PBAQD
    AgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPqGydvguul49Uuo1hXf8NPh
    ahQ8ME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9V
    VE4tVVNFUkZpcnN0LU5ldHdvcmtBcHBsaWNhdGlvbnMuY3JsMA0GCSqGSIb3DQEB
    BQUAA4IBAQCk8yXM0dSRgyLQzDKrm5ZONJFUICU0YV8qAhXhi6r/fWRRzwr/vH3Y
    IWp4yy9Rb/hCHTO967V7lMPDqaAt39EpHx3+jz+7qEUqf9FuVSTiuwL7MT++6Lzs
    QCv4AdRWOOTKRIK1YSAhZ2X28AvnNPilwpyjXEAfhZOVBt5P1CeptqX8Fs1zMT+4
    ZSfP1FMa8Kxun08FDAOBp4QpxFq9ZFdyrTvPNximmMatBrTcCKME1SmklpoSZ0qM
    YEWd8SOasACcaLWYUNPvji6SZbFIPiG+FTAqDbUMo2s/rn9X9R+WfN9v3YIwLGUb
    QErNaLly7HF27FSOH4UMAWr6pjisH8SE
    -----END CERTIFICATE-----
    shuld be named: commercial_ca.crt
    Code:
    mv utn.cer commercial_ca.crt
    now, you *must* validate your certs:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt

    if it is not ok, you cannot go on

    for me, they are ok

    the:
    sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
    zmcontrol stop ; zmcontrol start

    done
    Last edited by maumar; 10-08-2011 at 10:58 AM.

  4. #4
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    343
    Rep Power
    8

    Default

    i have just completed another process!


    Code:
    [19:36:20 root@zimbra ~/freessl ]# ls -la
    totale 20
    drwxr-xr-x  2 root root 4096  4 ago 19:36 .
    drwxr-x--- 24 root root 4096  4 ago 19:33 ..
    -rw-r--r--  1 root root 1582  4 ago 19:36 commercial_ca.crt
    -rw-r--r--  1 root root 1436  4 ago 19:34 commercial.crt
    [19:36:22 root@zimbra ~/freessl ]# chmod 777 *
    [19:36:26 root@zimbra ~/freessl ]# chmod 740 /opt/zimbra/ssl/zimbra/commercial/commercial.key
    [19:37:35 root@zimbra ~/freessl ]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    [19:38:02 root@zimbra ~/freessl ]# su - zimbra
    [19:38:57 zimbra@zimbra ~ ]$ sudo zmcertmgr deploycrt comm /root/freessl/commercial.crt /root/freessl/commercial_ca.crt
    ** Verifying /root/freessl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/freessl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/freessl/commercial.crt: OK
    ** Copying /root/freessl/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/freessl/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.

  5. #5
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default RappidSSL's CA

    So, I had this same problem except I wasn't using FreeSSL, so I needed to use the other Root CA.

    http://www.rapidssl.com/cps/rapidssl_01.cer

    Unfortunately for me, that particular certificate file doesn't use the right new-lines/line-feeds and zimbra didn't like it, even when following the instructions above.

    So, I had to lookup the standard formatting, and manually adjust it. Here is what I came up with.

    Code:
    -----BEGIN CERTIFICATE-----
    MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
    UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
    dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
    MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
    dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
    BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
    cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
    AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
    MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
    aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
    ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
    IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
    MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
    A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
    7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
    1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
    -----END CERTIFICATE-----
    When I used that for commercial_ca.crt (in the instructions above) I was able to load the certificate, even through the GUI.

  6. #6
    jdeproost is offline Member
    Join Date
    May 2009
    Location
    Belgium
    Posts
    14
    Rep Power
    5

    Default rapidssl

    Just want to say thanks, description given by Maumar and cert by Alaupe work like a charm!!

    Thanks guys!

    Johnny

  7. #7
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default

    I wanted to post that I used the certificate posted above (by me) again today and it still works. $10 ssl certs from cheapssls.com + zimbra = win.

    My $0.02.

  8. #8
    teilo is offline New Member
    Join Date
    Sep 2007
    Posts
    4
    Rep Power
    7

    Default

    Just a note to let you know that RapidSSL upgraded their infrastructure to 2048 bits in December of 2010. The certificates listed above are no longer valid.

    When RapidSSL issues you a certificate, they will send you the intermediate certificate only. They do not send you the root certificate. To make matters even worse, the links in the email they send you take you to the OLD root and intermediate certificates. At the time of this post, the RapidSSL website has yet to be updated. It still has the old, outdated intermediate and root certificates. You cannot find the root CA certificate there unless you happen to catch one of their news posts which link you to a test server which shows you the correct root CA, at this bizarre address: https://ssltest12.bbtest.net/

    Ugg!

    In case this is not clear from the emails in this post: Zimbra does not play well with a certificate chain. It will not verify the certificates if you have the root and intermediate certificates in separate files. In order to make this work, you must append the intermediate certificate to the root certificate, and save that in a single file.

    Here is what you need to have as your commercial_ca.crt file for Zimbra to be happy when provisioning from the command line:

    Code:
    -----BEGIN CERTIFICATE-----
    MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
    EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
    R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
    9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
    fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
    iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
    1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
    bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
    MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
    ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
    uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
    Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
    tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
    PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
    hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
    5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
    EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
    l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
    6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
    ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
    N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
    HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
    gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
    St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
    EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
    Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
    JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
    AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
    /torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
    SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
    04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
    knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
    LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
    -----END CERTIFICATE-----
    Note that this is the Geotrust root cert combined with the RapidSSL intermediate cert.

    Using this, you can complete the steps mentioned in this post above: verification and provisioning. It worked for me, anyway. I hope this is of help to others also.
    Last edited by teilo; 01-17-2011 at 05:38 PM.

  9. #9
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    teilo you are a lifesaver!
    Had to renew our RapidSSL cert today and the procedure I used last year was no longer working.
    The Geotrust root combined with the RapidSSL intermediate above worked perfectly
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  10. #10
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    343
    Rep Power
    8

    Default

    i am trying to renew a cert expired yesterday with no success, this is the link
    [SOLVED] export certificate to zimbra

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •