CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra

From Notes_Wiki
Revision as of 03:15, 14 February 2019 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb self="Install yearly or longer duration purchased SSL certificate in Zimbra">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb self="Install yearly or longer duration purchased SSL certificate in Zimbra">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>

CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra

To Install yearly or longer duration SSL certificate purchased from SSL certificate provider in Zimbra use following steps:

  1. Login into admin console
  2. Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
  3. Generate a CSR for sending to certificate authority for signing. Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key. Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user: 
    /opt/zimbra/bin/zmcertmgr createca -new
    

    /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
    

    /opt/zimbra/bin/zmcertmgr deploycrt self
    

    /opt/zimbra/bin/zmcertmgr deployca
    

    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    

    su -c "zmcontrol restart" - zimbra
    For self signed certificate one can also use Openssl or Easy-rsa
  4. Use Getting certificates signed by recognized CA or Using namecheap wildcard SSL certificates for HTTPS for purchasing certificate and getting them signed from a recognized CA
  5. After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using: 
    cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
    This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate. Refer Openssl for different types of certificates and for converting from one form to another
  6. After this verify certificate is proper using: 
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
  7. If verification succeeds then install CA using: 
    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
    Note that installation does not requires path to private key
  8. Look at deployed certificate 
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  9. Restart Zimbra for changes to take effect 
    su -c "zmcontrol restart" - zimbra

Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line. Hence use command-line for installing Zimbra SSL certificate.

Example terminal I/O of certificate installation: 

#Need to run certificate command as root user
[root@mail ~]# su - zimbra                  
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
/opt/zimbra/bin/zmcertmgr must be run as user root
[zimbra@mail ~]$ exit
logout

#Need to combine intermediate and root CA using cat
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@mail ~]# cat /tmp/*.{pem,crt}
DigiCert_Global_Root_CA.pem  inter.crt                    web.crt                     
[root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK

##Wrong set of arguments in next command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

#Correct command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK
** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::

...redacted...

::service proxy::

...redacted...

::service mailboxd::

...redacted...

::service ldap::

...redacted...

[root@mail ~]# su - zimbra
[zimbra@mail ~]$ zmcontrol restart
Host example.com
    Stopping vmware-ha...skipped.
        /opt/zimbra/bin/zmhactl missing or not executable.
    Stopping zmconfigd...Done.

...redacted...

    Stopping ldap...Done.
Host example.com
    Starting ldap...Done.

...redacted...

    Starting zimlet webapp...Done.
[zimbra@mail ~]$


Refer:



<yambe:breadcrumb self="Install yearly or longer duration purchased SSL certificate in Zimbra">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_7.x_Install_yearly_or_longer_duration_purchased_SSL_certificate_in_Zimbra&oldid=4071"