Results 1 to 8 of 8

Thread: [SOLVED] Unable to generate commercial CSR

  1. #1
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default [SOLVED] Unable to generate commercial CSR

    Hi

    I'm using Zimbra Open Source v.5.0.18 on Ubuntu. I'm trying to generate a CSR to be used with a commercial CA.

    Can this be done using zmcertmgr?
    Does Zimbra have to have a local CA configured?
    What are the proper steps?

    I've be reading a number a white papers but I still cannot get it right.

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    Recreating a Self-Signed SSL Certificate - Zimbra :: Wiki

    5.x Commercial Certificates Guide - Zimbra :: Wiki

  2. #2
    Join Date
    Sep 2009
    Posts
    38
    Rep Power
    6

    Default Yeah, the GUI seems wacked

    I've set up SSL on both the open source and network editions of Zimbra (5.0.18) recently and the CSR creation from the GUI didn't work right on either of them. I ended up using the shell to do it:

    Code:
    #!/bin/bash
    #
    # Generate Zimbra certificate signing request
    #
    # Needs to be run by root.
    
    /opt/zimbra/bin/zmcertmgr createcsr comm -new \
     -subject "/C=US/ST=OH/L=YourTown/O=Your Organization/OU=Zimbra Server/CN=yourserver.example.com" -subjectAltNames yourserver.example.com
    
    exit
    Change the various names as needed, obviously. I used the resulting CSR with GoDaddy without a problem.

  3. #3
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default Still Not Working

    So I tried the command you suggested but it did not work, here is the output:

    root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new \ –subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.****.ca"
    ** Generating a server csr for download comm -new –subject /C=CA/ST=ON/L=****/O=*******/OU=Information Services/CN=www.****.ca
    subj= –subject
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090916055718
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...failed.

    Generating a 1024 bit RSA private key
    .....................++++++
    ................++++++
    writing new private key to '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
    -----
    Subject does not start with '/'.
    problems making Certificate Request

    ** Saving server config key zimbraSSLPrivateKey...done.


    I then Tried the command with a forward / after -new and here is the output:

    root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new / –subject "/C=CA/ST=ON/L=*****/O=*******/OU=Information Services/CN=www.*****.ca"
    ** Generating a server csr for download comm -new / –subject /C=CA/ST=ON/L=*****/O=*******/OU=Information Services/CN=www.*******.ca
    subj=/
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090916055810
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.


    The command generated a CSR but when I had a verisign support agent verify the content, he told me there was no distinguished name information in the CSR.

    Anymore sujestion?
    I've gone ahead and reinstalled Zimbra, hopefully this will fix my problem.

  4. #4
    Join Date
    Sep 2009
    Posts
    38
    Rep Power
    6

    Default Hmmh. Look at the CSR?

    How about taking a look at the CSR that was generated:

    # openssl req -noout -text -in commercial.csr

    Does that match up with what you would expect?

  5. #5
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default Success

    Well thanks a lot for your help, we finally generate a good CSR.
    We had to reinstall Zimbra and then run the following command:

    root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new -subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.*****.ca" -subjectAltNames www.*****.ca

    I'm still unsure if we need the -subjectAltNames option but it worked so I'm not going to change anything.

    So now on to installing the certificate, wish me luck.

  6. #6
    Join Date
    May 2009
    Location
    Nantes / France
    Posts
    21
    Rep Power
    6

    Thumbs up

    I had the same error:
    Subject does not start with '/'.

    and the error disappeared after i added the
    -subjectAltNames yourserverhere
    option

  7. #7
    Join Date
    Sep 2009
    Posts
    5
    Rep Power
    6

    Default

    Hocky--

    Remove the -subject to fix it.

  8. #8
    Join Date
    Feb 2008
    Location
    Hanoi
    Posts
    42
    Rep Power
    7

    Default

    Quote Originally Posted by patrick.herrington View Post
    Well thanks a lot for your help, we finally generate a good CSR.
    We had to reinstall Zimbra and then run the following command:

    root@mail:/opt/zimbra/bin# ./zmcertmgr createcsr comm -new -subject "/C=CA/ST=ON/L=*****/O=********/OU=Information Services/CN=www.*****.ca" -subjectAltNames www.*****.ca

    I'm still unsure if we need the -subjectAltNames option but it worked so I'm not going to change anything.

    So now on to installing the certificate, wish me luck.
    This is exact what I need. I worked for me too.
    Thank you very much
    Kind Regards,
    Tuan

    Official website: http://www.iwayvietnam.com/
    Weblog: http://blog.iwayvietnam.com/tuanta/
    -----

    Zimbra is the best ever FOSS I've worked with.

Similar Threads

  1. Replies: 17
    Last Post: 08-30-2010, 11:59 AM
  2. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  3. UNAUTHORIZED ACCESS Totally fouled up install
    By Lostin60s in forum Installation Help
    Replies: 0
    Last Post: 08-28-2009, 10:17 PM
  4. Installation zimbra Initializing ldap...failed. (28416)
    By farrukh.nadeem in forum Installation
    Replies: 10
    Last Post: 08-14-2009, 06:52 AM
  5. Fresh install of NE still cant generate CSR
    By sel5150 in forum Installation
    Replies: 2
    Last Post: 08-13-2009, 05:30 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •