[SOLVED] Can't install SSL123 certificate

[MacTI]

This is driving me mad... I bought a SSL123 certificate from Thawte, and I ordered it as a Apache/SSL certificate. So it was the wrong format, so I have made another CSR and asked a reissue of the certificate as "Tomcat". I got a nice PEM-based certificate, so I tried to install it, and I got this error :

[root@inmail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt ThawteServerCA_b64.txt
** Verifying commercial.crt against commercial.key
unable to load certificate
18895:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:647:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (commercial.crt) and private key (commercial.key) pair.

But I did use the new CSR and looking at the directory, a new key was created as the same time as the CSR :

[root@inmail /opt/zimbra/ssl/zimbra/commercial]# ls -l
total 16
-rw-r--r-- 1 root root 2462 Sep 16 18:34 commercial.crt
-rw-r--r-- 1 root root 696 Sep 15 17:20 commercial.csr
-rw-r--r-- 1 root root 887 Sep 15 17:20 commercial.key
-rwxr-xr-x 1 root root 1146 Dec 6 2006 ThawteServerCA_b64.txt

So I don't know why I get an error saying that the key and the certificate don't match :-)

BTW, I also found a key in :

/opt/zimbra/ssl/zimbra.20080915172008/commercial/commercial.key

and it's different than the one in /opt/zimbra/ssl/zimbra/commercial. This is the old key from my first CSR?

[MacTI]

Ok, so I converted the certificate by doing this :

Thawte certificate with own private key - SarWiki

"We have now to extract the PKCS7 for the furter use with openssl. You can either use an editor to snap aut the lines form -----BEGIN PKCS #7 SIGNED DATA----- to -----END PKCS #7 SIGNED DATA----- and replace the first and last line by -----BEGIN PKCS7----- and -----END PKCS7----- or use perl for this task:"

and after, I ran :

openssl pkcs7 -print_certs -in /opt/zimbra/certs/commercial.crt -outform DER -out /opt/zimbra/ssl/zimbra/commercial/commercial.crt

Now, I can verify the certificate :

[root@inmail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/ThawteServerCA_b64.txt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

but when I try to deploy it :

[root@inmail commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/ThawteServerCA_b64.txt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
26397:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:647:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

So validation is ok, but installation is not :-/

[MacTI]

Ah ok, I didn't have to specify the key when calling deploycrt. I now have a nice commercial SSL certificate on my server :-)