Zimbra

mugendai · #1 (**permalink**) 06-19-2009, 12:49 PM

[Solution below]

I use StartCom for my certs. This year they require 2048 bit or higher key on the CSR.

It seems that my current version of Zimbra, 5.0.10_GA open source edition, always generates CSR's as a 1024 bit key.

Is there a way I can change this?

Do nerwer versions support this?

Do I have to use the CLI, and if so, can you point me to the right instructions for this version?

Thank you for your time.

--Solution--
5.0.10_GA is hard coded to use 1024, future versions 6.0.0_RC1 and up should support greater than 1024bit keys. See Bug 36313 – Option to specify key length for SSL certificate

As a workaround, I edited the following file:
opt/zimbra/bin/zmcertmgr

I replaced 1024 with 2048 anywhere in the file.
I then regenerated the CSR with the management utility and all was good.

Thanks to brian for info on the new version support, and to Rich Graves for info on JCE (see post below about JCE if you still have issue)

Rich Graves · #2 (**permalink**) 06-19-2009, 04:42 PM

It's a limitation of the Sun Java distribution.

You need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy." No URL provided because it moves; search for it.

This will also upgrade symmetric ciphers from AES128 to AES256.

mugendai · #3 (**permalink**) 06-19-2009, 05:40 PM

Quote:

Originally Posted by Rich Graves

You need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy."

Unfortunately that isn't working out for me.
I got the unlimited strength policy, and replaced the existing policy files with them.
"/opt/zimbra/java/jre/lib/security"

I then restarted zimbra with zmcontrol stop then start

I then attempted to generate a new CSR using the administration site.
I sent the CSR to the CA and again they denied it because it is still 1024.

Is there something more I need to do to get Zimbra to generate a 2048 or higher cert?

Thanks again.

brian · #4 (**permalink**) 06-22-2009, 12:49 PM

zmcertmgr currently hardcodes the csr and key generation to 1024 bits. This is fixed for the 6.0.0_RC1 release.

Bug 36313 – Option to specify key length for SSL certificate

mugendai · #5 (**permalink**) 06-24-2009, 01:19 PM

Quote:

Originally Posted by brian

zmcertmgr currently hardcodes the csr and key generation to 1024 bits. This is fixed for the 6.0.0_RC1 release.

Bug 36313 – Option to specify key length for SSL certificate

That nailed it on the head. Thanks.

I'll edit my OP and setup a solved.

danielfarrelly · #6 (**permalink**) 11-27-2009, 11:39 AM

Quote:

Originally Posted by mugendai

As a workaround, I edited the following file:
opt/zimbra/bin/zmcertmgr

I replaced 1024 with 2048 anywhere in the file.
I then regenerated the CSR with the management utility and all was good.

Confirmed. Workaround is successful with GoDaddy certs and Zimbra v5.0.20.

Zimbra

Downloads

Product Information

Toolbox

Why Join?