Part of my issue what that my CA was not trusted, so I had to added to the trusted CAs. I honestly had a number of issues and I ended up using a support call to get it fixed. I also think I needed to get an additional intermediate cert from my CA and add it to one of my cert files.
I used a support call to get it resolved the first time. However I migrated my server from a could VM to a local VM box earlier this year and reinstallation of the cert went fine. I just know that if it messes up anywhere in the process, it's easier to start over.
Globalsign would be part of the default trusted CAs, but you could add your root ca cert t be safe.
Okay, I was able to get this to work by creating a new ca_bundle.. I had globalsign send me my intermediate, and then downloaded their root and stitched them together. Now I am getting:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt root_bundle.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
Next is deployment. I have 6 zimbra servers to deploy to, so I am somewhat reticent about deploying. Im afraid some things wont restart with the new cert installed.. Do I need to install to all servers at once?
(I have 2 ldap servers, 2 stores, 1 archive store, and a proxy to support 4200 corporate mailboxes - not to mention the 2 external and 2 internal sendmail mtas and ldap servers.. If that sounds like overkill - it is.)
That's exactly what I had to do. Glad that worked out. Can't help you with the other part though. I'm a small network admin. We have mailboxes<50.
Last edited by ExcitedByNoise; 12-16-2010 at 07:18 AM. Reason: typo
Installing ssl certificate on different server machines always cause the csr and private key mismatch error. You need to reissue or re-key ssl certificate from the supplier.
1. Export / backup ssl (include all key files) from first server. PN:
2. Import / restore ssl on next server.
This does not work for all server types but for Microsoft IIS it works perfect.
1. Generate new CSR and Private key from your server
2. Contact ssl vendor for reissue process. If you have purchased GeoTrust SSL from SSLmatrix.com you can ask support to get automated reissue process url.
3. Use new csr key and get the cert reissued.
PN: reissue process is free cost and does not need any fees. If your provider ask for reissue fees you can ask them or contact sslmatrix.com support for the assistance to get the free ssl.