Difference between revisions of "CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra"
(Created page with "<yambe:breadcrumb self="Install yearly or longer duration purchased SSL certificate in Zimbra">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</...") |
m |
||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 7.x]] > [[CentOS 7.x email configuration|Email configuration]] > [[CentOS 7.x Zimbra configuration|Zimbra configuration]] > [[CentOS 7.x Install SSL certificate in Zimbra]] > [[CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra]] | |||
To Install yearly or longer duration SSL certificate purchased from SSL certificate provider in Zimbra use following steps: | To Install yearly or longer duration SSL certificate purchased from SSL certificate provider in Zimbra use following steps: | ||
Line 133: | Line 132: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 7.x]] > [[CentOS 7.x email configuration|Email configuration]] > [[CentOS 7.x Zimbra configuration|Zimbra configuration]] > [[CentOS 7.x Install SSL certificate in Zimbra]] > [[CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra]] |
Latest revision as of 15:58, 28 August 2022
Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Install SSL certificate in Zimbra > CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra
To Install yearly or longer duration SSL certificate purchased from SSL certificate provider in Zimbra use following steps:
- Login into admin console
- Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
- Generate a CSR for sending to certificate authority for signing. Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key. Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user:
- /opt/zimbra/bin/zmcertmgr createca -new
- /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
- /opt/zimbra/bin/zmcertmgr deploycrt self
- /opt/zimbra/bin/zmcertmgr deployca
- /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- su -c "zmcontrol restart" - zimbra
- Use Getting certificates signed by recognized CA or Using namecheap wildcard SSL certificates for HTTPS for purchasing certificate and getting them signed from a recognized CA
- After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using:
- cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
-
- This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate. Refer Openssl for different types of certificates and for converting from one form to another
- After this verify certificate is proper using:
- /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
- If verification succeeds then install CA using:
- /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
-
- Note that installation does not requires path to private key
- Look at deployed certificate
- /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Restart Zimbra for changes to take effect
- su -c "zmcontrol restart" - zimbra
Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line. Hence use command-line for installing Zimbra SSL certificate.
Example terminal I/O of certificate installation:
#Need to run certificate command as root user [root@mail ~]# su - zimbra [zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem /opt/zimbra/bin/zmcertmgr must be run as user root [zimbra@mail ~]$ exit logout #Need to combine intermediate and root CA using cat [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com error 20 at 0 depth lookup:unable to get local issuer certificate [root@mail ~]# cat /tmp/*.{pem,crt} DigiCert_Global_Root_CA.pem inter.crt web.crt [root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/web.crt: OK ##Wrong set of arguments in next command [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key unable to load certificate 139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair. XXXXX ERROR: provided cert isn't valid. #Correct command [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/web.crt: OK ** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done. ** NOTE: mailboxd must be restarted in order to use the imported certificate. ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done. [root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt ::service mta:: ...redacted... ::service proxy:: ...redacted... ::service mailboxd:: ...redacted... ::service ldap:: ...redacted... [root@mail ~]# su - zimbra [zimbra@mail ~]$ zmcontrol restart Host example.com Stopping vmware-ha...skipped. /opt/zimbra/bin/zmhactl missing or not executable. Stopping zmconfigd...Done. ...redacted... Stopping ldap...Done. Host example.com Starting ldap...Done. ...redacted... Starting zimlet webapp...Done. [zimbra@mail ~]$
Refer:
- https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools
- https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration
Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Install SSL certificate in Zimbra > CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra