Results 1 to 3 of 3

Thread: [SOLVED] Can't install SSL123 certificate

  1. #1
    MacTI is offline Active Member
    Join Date
    Aug 2008
    Location
    Montreal
    Posts
    31
    Rep Power
    6

    Default [SOLVED] Can't install SSL123 certificate

    This is driving me mad... I bought a SSL123 certificate from Thawte, and I ordered it as a Apache/SSL certificate. So it was the wrong format, so I have made another CSR and asked a reissue of the certificate as "Tomcat". I got a nice PEM-based certificate, so I tried to install it, and I got this error :

    [root@inmail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt ThawteServerCA_b64.txt
    ** Verifying commercial.crt against commercial.key
    unable to load certificate
    18895:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:647:Expecting: TRUSTED CERTIFICATE
    XXXXX ERROR: Unmatching certificate (commercial.crt) and private key (commercial.key) pair.

    But I did use the new CSR and looking at the directory, a new key was created as the same time as the CSR :

    [root@inmail /opt/zimbra/ssl/zimbra/commercial]# ls -l
    total 16
    -rw-r--r-- 1 root root 2462 Sep 16 18:34 commercial.crt
    -rw-r--r-- 1 root root 696 Sep 15 17:20 commercial.csr
    -rw-r--r-- 1 root root 887 Sep 15 17:20 commercial.key
    -rwxr-xr-x 1 root root 1146 Dec 6 2006 ThawteServerCA_b64.txt

    So I don't know why I get an error saying that the key and the certificate don't match :-)

    BTW, I also found a key in :

    /opt/zimbra/ssl/zimbra.20080915172008/commercial/commercial.key

    and it's different than the one in /opt/zimbra/ssl/zimbra/commercial. This is the old key from my first CSR?
    ZCS 6.05 on CentOS 5.3 (VMWare ESX 4)

  2. #2
    MacTI is offline Active Member
    Join Date
    Aug 2008
    Location
    Montreal
    Posts
    31
    Rep Power
    6

    Default

    Ok, so I converted the certificate by doing this :

    Thawte certificate with own private key - SarWiki

    "We have now to extract the PKCS7 for the furter use with openssl. You can either use an editor to snap aut the lines form -----BEGIN PKCS #7 SIGNED DATA----- to -----END PKCS #7 SIGNED DATA----- and replace the first and last line by -----BEGIN PKCS7----- and -----END PKCS7----- or use perl for this task:"

    and after, I ran :

    openssl pkcs7 -print_certs -in /opt/zimbra/certs/commercial.crt -outform DER -out /opt/zimbra/ssl/zimbra/commercial/commercial.crt

    Now, I can verify the certificate :

    [root@inmail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/ThawteServerCA_b64.txt
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

    but when I try to deploy it :

    [root@inmail commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/ThawteServerCA_b64.txt
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    unable to load certificate
    26397:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:647:Expecting: TRUSTED CERTIFICATE
    XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    XXXXX ERROR: provided cert isn't valid.

    So validation is ok, but installation is not :-/
    ZCS 6.05 on CentOS 5.3 (VMWare ESX 4)

  3. #3
    MacTI is offline Active Member
    Join Date
    Aug 2008
    Location
    Montreal
    Posts
    31
    Rep Power
    6

    Default

    Ah ok, I didn't have to specify the key when calling deploycrt. I now have a nice commercial SSL certificate on my server :-)
    ZCS 6.05 on CentOS 5.3 (VMWare ESX 4)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. Trying to install QuickSSL certificate without any luck
    By Priyantha Bleeker in forum Installation
    Replies: 8
    Last Post: 08-27-2009, 05:31 PM
  3. [SOLVED] How to install certificate wizard?
    By salu in forum Installation
    Replies: 1
    Last Post: 06-17-2008, 11:24 AM
  4. Replies: 1
    Last Post: 11-05-2007, 06:55 PM
  5. Replies: 21
    Last Post: 09-27-2007, 11:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •