SSL Certificate install error?!

[leSasch]

Hi together,

I'm trying my luck with installing a commercial certificate into zimbra.
Unfortunately, it keeps saying the following:

java.io.IOException: Duplicate extensions not allowed

Steps were:
- Create CSR via Webinterface (commonName = Hostname, Wildcards checked, some alternative Domains with "*.")
- Created certificate from CSR
- Copied .crt and .crt of the CA to zimbra-server
- Checked match of CSR, Private Key, CA and CRT via:
zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./zimbra.zeteko.net.crt ./ZeTeKo_CA.crt
** Verifying ./zimbra.zeteko.net.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.zeteko.net.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.zeteko.net.crt: OK

- Import via zmcertmgr deploycrt comm ./zimbra.zeteko.net.crt ./ZeTeKo_CA.crt

Here's the error then (sorry for the mass of text):

** Verifying ./zimbra.zeteko.net.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.zeteko.net.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.zeteko.net.crt: OK
** Copying ./zimbra.zeteko.net.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./ZeTeKo_CA.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.

Exception in thread "main" java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.X509CertInfo.(X509CertInfo.java:154)
at sun.security.x509.X509CertImpl.parse(X509CertImpl. java:1729)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:179)
at sun.security.provider.X509Factory.engineGenerateCe rtificate(X509Factory.java:90)
at java.security.cert.CertificateFactory.generateCert ificate(CertificateFactory.java:305)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.loa dSafeContents(PKCS12KeyStore.java:1391)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.eng ineLoad(PKCS12KeyStore.java:1287)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import .java:96)
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExten sion(CertificateExtensions.java:96)
at sun.security.x509.CertificateExtensions.init(Certi ficateExtensions.java:70)
at sun.security.x509.CertificateExtensions.(CertificateExtensions.java:60)
at sun.security.x509.X509CertInfo.parse(X509CertInfo. java:723)
at sun.security.x509.X509CertInfo.(X509CertInfo.java:152)
... 8 more

** Installing CA to /opt/zimbra/conf/ca...done.

After that, Zimbra's services are dead!
The only way to recover was to install the selfsigned cert via commandline.
Any ideas about the java.io.IOException: Duplicate extensions not allowed ?

Thanks!

[leSasch]

Did no one ever see the

Exception in thread "main" java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed

error? No clues? Or is nobody using custom ssl? ;-)