Results 1 to 6 of 6

Thread: Commercial Certs for Multi-Server Install

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Posts
    30
    Rep Power
    7

    Default Commercial Certs for Multi-Server Install

    I apologize if this has been addressed elsewhere, but I can't seem to find much about it in forum posts or the documentation.

    We recently moved from a single server install to a multi server install. With our single server, all I did to generate CSRs and install certs was use the web interface. With multi-server it seems a bit more complicated then that.

    our setup:

    mail.domain.edu consists of zcs-ldap.domain.edu, zcs-mta.domain.edu, zcs-ms.domain.edu

    Zimbra proxy runs on our mta. Before I start playing with installing commercial certs (and likely break everything), I was hoping someone who has done this before can answer a few questions.

    1. Is it true that I cannot simply use the admin web console to install the certs? If I need to (or want to) install via command line, where would be the appropriate place to find documentation? I found documentation for self signed multi-server and commercial single server, but nothing for commercial multi-server.
    2. If I really just want a commercial cert for https, is a cert for mail.domain.edu enough? Is the install process different?
    3. If we want commercial certs for everything else, do I need to generate separate certs for zcs-ldap.domain.edu, etc as well as a seprate one for https?
    4. Do I need (or should I get) a wildcard cert?

    Any help would be greatly appreciated. Thanks in advance.

  2. #2
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    some answers can be found at:
    5.x Commercial Certificates Guide - Zimbra :: Wiki

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  3. #3
    Join Date
    Feb 2008
    Posts
    30
    Rep Power
    7

    Default

    That wiki page does have some information on command line options (unfortunately I am not using any of those cert vendors), but it doesn't have much information in terms of multi-server requirements - i.e. if I can use the web interface, what kind of certs I need for each node, if I need wildcard certs, and if I can install a https cert only.

  4. #4
    Join Date
    Oct 2007
    Location
    Columbus, OH
    Posts
    70
    Rep Power
    8

    Default

    Quote Originally Posted by jterhune View Post
    1. Is it true that I cannot simply use the admin web console to install the certs? If I need to (or want to) install via command line, where would be the appropriate place to find documentation? I found documentation for self signed multi-server and commercial single server, but nothing for commercial multi-server.
    The admin interface is handy, but does not work in all situations we have encountered. I would recommend getting comfortable with the CLI tools for cert management, it is actually less confusing in the end. I also believe that for the proxy server you have to install it via CLI.
    2. If I really just want a commercial cert for https, is a cert for mail.domain.edu enough? Is the install process different?
    You only need a cert for the domains to which clients are connecting. So if you have a bunch of mail stores on the backend, but they are all serving mail.domain.edu through the proxy, you only need a cert for mail.domain.edu.
    3. If we want commercial certs for everything else, do I need to generate separate certs for zcs-ldap.domain.edu, etc as well as a seprate one for https?
    You can keep all the internal communication using the self-signed certs and only use the commercial cert for the web-client access that actual users will be hitting.
    4. Do I need (or should I get) a wildcard cert?
    From my personal experience, I would avoid wildcard certs. Browsers do not handle them in a universal manner, so you are likely to get varying results.

  5. #5
    Join Date
    Feb 2008
    Posts
    30
    Rep Power
    7

    Default

    Awesome. Thanks for the help.

    Do you happen to know of any documentation for just adding a https cert via the cli? I don't want to damage any self-signed certs in the process?

    Also, should the cert go on the proxy server, or should it go on the mailstore that the proxy server is directing to?

  6. #6
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    The official wiki page contains info on the cli. Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    You want to deploy the ssl certs on the proxy. Communication between the proxy and the mail store is always over http.
    Bugzilla - Wiki - Downloads - Before posting... Search!

Similar Threads

  1. [SOLVED] Moving zimbra to a new server (32 to 64) problems
    By jasonwilson in forum Installation
    Replies: 3
    Last Post: 08-07-2009, 04:24 PM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. Fresh Zimbra installation does not work
    By Datax in forum Installation
    Replies: 4
    Last Post: 08-18-2008, 01:18 PM
  4. Replies: 0
    Last Post: 01-15-2008, 12:33 PM
  5. Zimbra Installation Problem
    By AnilKumarYalla in forum Developers
    Replies: 0
    Last Post: 09-10-2006, 09:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •