Results 1 to 4 of 4

Thread: Self signed CA

  1. #1
    Join Date
    Jan 2008
    Rep Power

    Default Self signed CA


    so, i'have the problem, i'cant creat a self signed cert with the admin gui.
    it'was the problem with version 5.0 GA and later the update to 5.0.1 was the
    same problem. anyway ... is there a way to creat a new self signed cert with
    zmcertmgr with console? i want create a cert with where show my location
    not US etc. the second problem is if start there connection here start the warning that the cert is only for my hostname not for the ip
    of this host this is the second mistake.

    so, for that i'want create a new cert for "ALL Server" to solve this problem.

    thanx for help ...
    best regards
    Mario Roeber

  2. #2
    Join Date
    Oct 2005
    Thatcher, AZ
    Rep Power


    Did you try zmcertmgr? Must be run as root:
    [root@holder-test bin]# ./zmcertmgr
    ./zmcertmgr -help
    ./zmcertmgr createca [-new]
    ./zmcertmgr deployca
    ./zmcertmgr createcsr <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
    ./zmcertmgr deploycrt <self> [-new] [validation_days]
    ./zmcertmgr deploycrt <comm> [certfile] [ca_chain_file]
    ./zmcertmgr viewcsr <self|comm> [csr_file]
    ./zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
    ./zmcertmgr viewstagedcrt <self|comm> [certfile]
    ./zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
    ./zmcertmgr verifycrtchain <ca_file> <certfile>
    ./zmcertmgr migrate

    - Default <certfile>
    self-signed /opt/zimbra/ssl/zimbra/server/server.crt
    commerical /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    - Default <priv_key>
    self-signed /opt/zimbra/ssl/zimbra/server/server.key
    commercial /opt/zimbra/ssl/zimbra/commercial/commercial.key
    - Default <subject>
    "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/"
    - Default <validation_days> is 365.
    - Default <csr_file> is
    - deploycrt self installs the certificates using self signed csr in /opt/zimbra/ssl/zimbra/server
    - deploycrt comm installs the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
    - verifycrt <self|comm> compares openssl md5 [priv_key] and [certfile].
    - migrate moves certs/keys from ZCS installs prior to version 5.0.x

  3. #3
    Join Date
    Jul 2006
    Rep Power


    5.0.0_GA and 5.0.1_GA self signed ssl policy defaults require the Locale/State/Country values to match the ca. The default ssl configuration file in 5.0.2_GA lifts this restriction.

    I don't understand your second question about the hostname not matching the ip address? Which ZCS component is complaining about the mismatch? Please post the exact error so we can better identify the source of the problem.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  4. #4
    Join Date
    Jan 2008
    Rep Power

    Default Answer

    the problem with te current cert is, if you do connection you get everytime
    the information the cert match to not to
    adn it's come the warning maybe someone sit in the middel.

    oh .. my english ... but ok .. i'hope you understand ...

    of'curse a self signet cert is not verifyed by a comerz service.
    but the IP and alias should togother match the same cert.

    bye mario

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 01:51 AM
  2. Replies: 8
    Last Post: 05-18-2007, 03:03 PM
  3. SSL - Commercial or Self Signed?
    By jhoelz in forum Installation
    Replies: 5
    Last Post: 03-08-2007, 06:37 AM
  4. Addition self signed certs
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-17-2006, 11:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts