Manual certificate / installation for Godaddy 2048 requirement

[markd]

I let our certificate expire, due to poor planning, and was not able
to use the Certificate Tool to generated a new CSR. ( I assume because
cert had expired ).

Tried to generate a CSR using the commercial.key as noted
in the wiki but I could not find a way to generate a 2048 bit key.

GoDaddy appears to require a 2048 bit setup hence I decided to try
brute force and do everything the long way. Here were the steps.

0) Make a working directory and work out of it, FOR example.
mkdir /root/zimbra_cert

1) Generate a key ( has to have a password initially ?? )
openssl genrsa -des3 -out zimbra_password.key 2048

2) remove the password from key file ( use password set in step 1 above )
openssl rsa -in zimbra_password.key -out zimbra.key

3) generate CSR ( make sure CN is correct for application etc)
openssl req -new -key zimbra.key -out zimbra.csr

4) view and verify CSR values, this is optional step.
openssl req -noout -text -in zimbra.csr

5) copy & paste contents of zimbra.csr to godaddy as needed.

6) download domain_certificate.zip from godaddy as needed.

7) unzip file should be 2 files www.domain.com.crt and gd_bundle.crt

8) make copy of www.domain.com.crt to commercial.crt to make things clean.
cp www.domain.com.crt commercial.crt

10) copy new key to zimbra path, MAY want to backup current key first.
cp zimbra.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

11) verify crt from working dir or fix the paths below.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt gd_bundle.crt

12) if verify step above is okay, deploy certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt gd_bundle.crt

13) Cross your fingers and read the results of the deployment.

14) restart zimbra, reboot server etc.

These steps appear to work for us, using Zimbra 5.0.18 NE (expired lic)

[lewchris]

thanks for the info this works great! i have not found any way of doing this through the gui this has worked for me on two servers so far.

Quote:

Originally Posted by markd

I let our certificate expire, due to poor planning, and was not able
to use the Certificate Tool to generated a new CSR. ( I assume because
cert had expired ).

Tried to generate a CSR using the commercial.key as noted
in the wiki but I could not find a way to generate a 2048 bit key.

GoDaddy appears to require a 2048 bit setup hence I decided to try
brute force and do everything the long way. Here were the steps.

0) Make a working directory and work out of it, FOR example.
mkdir /root/zimbra_cert

1) Generate a key ( has to have a password initially ?? )
openssl genrsa -des3 -out zimbra_password.key 2048

2) remove the password from key file ( use password set in step 1 above )
openssl rsa -in zimbra_password.key -out zimbra.key

3) generate CSR ( make sure CN is correct for application etc)
openssl req -new -key zimbra.key -out zimbra.csr

4) view and verify CSR values, this is optional step.
openssl req -noout -text -in zimbra.csr

5) copy & paste contents of zimbra.csr to godaddy as needed.

6) download domain_certificate.zip from godaddy as needed.

7) unzip file should be 2 files www.domain.com.crt and gd_bundle.crt

8) make copy of www.domain.com.crt to commercial.crt to make things clean.
cp www.domain.com.crt commercial.crt

10) copy new key to zimbra path, MAY want to backup current key first.
cp zimbra.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

11) verify crt from working dir or fix the paths below.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt gd_bundle.crt

12) if verify step above is okay, deploy certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt gd_bundle.crt

13) Cross your fingers and read the results of the deployment.

14) restart zimbra, reboot server etc.

These steps appear to work for us, using Zimbra 5.0.18 NE (expired lic)

[vbn]

Ditto for us...not sure if its only with GoDaddy or other providers also. We also deploy GoDaddy same way, dont even try the quick gui way.

[markd]

I believe there is another forum discussion in this regards for the
new zimbra tools which will allow you to create larger certs.

Hence, I suggest searching the forums as these steps may be more
difficult. Of course the new tools are probably Z6.0+.

Best wishes,

[cedbobking]

If anyone need to install a GoDaddy multi-domain certificate. We did the following when we created the CSR. It seems to be working on our system.

Code:

openssl req -new -key zimbra.key -subj "/C=$YOURCOUNTRY/ST=$YOURSTATE/L=$YOURCITY/O=$YOURORG/OU=Zimbra/CN=$DOMAIN1/CN=$DOMAIN2/CN=$DOMAIN3" -out zimbra.csr

Obviously you should substitute $VARIABLE for and "relevant value" e.g. $DOMAIN1="mydomain.com", $DOMAIN2="zimbra.myotherdomain.org", etc.

I got the idea from the bottom of this blog post.

SSL System Howtos and Tutorials

Hope that helps. We're going to 6 as soon as we can, but apparently not soon enough.

[rusty]

Thanks so much markd!!!!