Results 1 to 6 of 6

Thread: Does the SSL cert on the Zimbra server's Primary Name need to match the server name?

  1. #1
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default Does the SSL cert on the Zimbra server's Primary Name need to match the server name?

    For Zimbra itself to be happy, I mean; it's looking like I need to have the cert be named after what my iPhones are going to want to call it in order for *them* to work -- and Apple explicitly doesn't support anything but Genuine Microsoft Exchange.

    So the question is: does *Zimbra* require that the server's idea of its own name appear in the SSL cert that it servers? If so, can it be a secondary name?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Hi, not really following. Within the iPhone settings you would enter the FQDN of your Zimbra server; for which should match the CN of the cert. If it does not then the iPhone just asks if you wish to accept it (especially if you are using a self signed cert).

  3. #3
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    See my other thread, just updated. Apple *requires* that the primary name on the cert -- self signed or not -- be *the name the phone uses to get to EAS*.

    Hence, I have to rebuild my cert to do this, with async.mumble as its primary name.

    Hence my question above.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    I am guessing it will be fine. We have our own PKI and use a combination ZCS FQDN, Alternative name and IP address.

  5. #5
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    But the primary name on your certs is the "real" configured name of your server? Or an alias?

    Cause if the iPhones require their name to be primary, and Zimbra requires *its*, then I'm either going to have to rename the server, or play games with my DNS.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  6. #6
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    In either event, having had it confirmed by Quanah on my bug ticket that in fact, it's not supposed to care, I ran AJ's "build your own self-signed cert" script, modified like so:

    Code:
    /opt/zimbra/bin/zmcertmgr createcrt self -new -subject "C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=async.mumble" -subjectAltNames "benjamin.mumble,zmail.mumble"
    And, of course, for some reason, when I look in the admin console it doesn't appear to have actually done *anything*; my cert is still for benjamin.mumble, with no altNames.

    Confused, now.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

Similar Threads

  1. Replies: 15
    Last Post: 11-24-2009, 07:46 AM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 07:24 AM
  3. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 01:00 AM
  4. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 08:21 AM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 10:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •