Doubts about the commercial SSL certificate installation

[clark kent]

Guys, sorry for my bad Inglês, is not my native language

I have today an e-mail server Postfix That runs and use a commercial certificate of Thawte. This certificate is used for connections via Webmail, IMAP and POP. and works very well.

I am migrating this server e-mail to the Zimbra Open Source and 7 am HAVING some doubts about the SSL certificates.

Can I reuse my old certificates Which Were used in the old server? If yes, is there any process I have to take?

If I Can not take my old certificate, then I must generate a new one. When I generate the new certificate in Thawte, I generate the certificate for the domain mail.xxxxxx.com

Here it is my greatest doubts. When I ride my server, the name of my server has to Be Exactly equal to the domain name in the register in Thawte? or Can I use any name for the server? and then generate a certificate in the Thawte for mail.xxxx.com domain?

Thank you for everyone's help.

[kruon]

Quote:

Originally Posted by clark kent

Can I reuse my old certificates Which Were used in the old server? If yes, is there any process I have to take?

You can reuse your old certificate. You need to copy it from the old server and install it to the new server. See zimbra wiki page about installing commercial certificates.

Quote:

Originally Posted by clark kent

If I Can not take my old certificate, then I must generate a new one. When I generate the new certificate in Thawte, I generate the certificate for the domain mail.xxxxxx.com

Here it is my greatest doubts. When I ride my server, the name of my server has to Be Exactly equal to the domain name in the register in Thawte? or Can I use any name for the server? and then generate a certificate in the Thawte for mail.xxxx.com domain?

Thank you for everyone's help.

If you decide to reuse your old certificate, your new servers public hostname must exactly match the one you registered the old certificate with.

If you need to change the public hostname of the server, you need to register new certificate to match the new name.

[clark kent]

Hello,

Thank you for your quick response.

Well, I decided to run some tests, and i tried to generate the CSR file to send to Thawte. i can generate the file perteitamente by WebGUI, I put all the necessary information, but when Thawte will check the file CSR, tells me that the country code is not included. the exact error is:

"The CSR must include the Country Code"

At the time of generation of Certificate I really put the country code.

Someone has gone through this kind of problem?

[kruon]

This sounds like a typo while entering data or a bug in webgui to me.
Country code is two letter country identificator, for example, DE, FR, ES, FI etc.

The CSR generator should ask for the country code.

[clark kent]

I agree with you, in the WebGUI I insert this information as requested. and yet the Thwate returns me this error.

I have three suspects for this,

- The Thwate should not recognize as the CSR format (unlikely)

- The Version 7.0 because it is new, deals of the generation of CSR file in a different way of default (also unlikely)

- The WebGUI tool has some sort of bug, which generates the CSR, he does not read correctly the information.

I will try to generate the same key using the tool zmcertmgr and i will post again.

[kruon]

Quote:

Originally Posted by clark kent

- The Thwate should not recognize as the CSR format (unlikely)

Very unlikely, as they have CSR parser which checks if the file you send them is valid, and gives the error.

Quote:

Originally Posted by clark kent

- The Version 7.0 because it is new, deals of the generation of CSR file in a different way of default (also unlikely)

Was there a CSR creator in 6.x webgui?

Quote:

Originally Posted by clark kent

- The WebGUI tool has some sort of bug, which generates the CSR, he does not read correctly the information.

This is what I'd assume aswell.

Quote:

Originally Posted by clark kent

I will try to generate the same key using the tool zmcertmgr and i will post again.

Using zmcertmgr from command line, you should end up with valid Certificate Signing Request.

[clark kent]

Good news.

I formatted my server and i installed Zimbra Open 6.0. I generated the certificate CSR by WebGUI normally, just as i tryed in Zimbra 7.0 and the Thawte recognized perfectly my certificate

Really believe it's a Bug in WebGUI tool, I will pass this information to the staff of Zimbra to investigate better what may be happening.


Thank you for your help.