Results 1 to 2 of 2

Thread: Information about zimbra certificate management

  1. #1
    Join Date
    Dec 2009
    Posts
    24
    Rep Power
    6

    Default Information about zimbra certificate management

    Hi

    I need some informations about how Zimbra manages self signed certificates.

    I have found the following:
    Source (?):
    /opt/zimbra/ssl/zimbra/ca
    /opt/zimbra/ssl/zimbra/server
    /opt/zimbra/ssl/zimbra/commercial (uninteresting, we use self signed ones)

    Destination (?):
    /opt/zimbra/conf/ca
    /opt/zimbra/conf/slapd.crt
    /opt/zimbra/conf/smtpd.crt
    /opt/zimbra/conf/nginx.crt


    "slapd.crt", "smtpd.crt" and "nginx.crt" are the same file (copied).
    The source of this certificates seems to be "/opt/zimbra/ssl/zimbra/server/server.crt"

    "/opt/zimbra/conf/ca/ca.pem" ist the same file like "/opt/zimbra/ssl/zimbra/ca/ca.pem".

    It seems for me:
    All self signed certificates are created in "/opt/zimbra/ssl/zimbra/" and copied to the conf directory ("/opt/zimbra/conf/").


    1) How does zimbra use/control this certificates?
    2) What does zimbra if an zertificate expires? (Auto recreate?)
    3) On Master/Slave Systems "/opt/zimbra/conf/ca/ca.pem" have to be the same file on every node. Else the tls ldap connection fails.
    How does zimbra manage this if the certificates expire?
    4) The ca certificate is only valid one year. Is it possible to set this time higher? Is it possible to change the keysize and hash algorithms? Is there a config file ?
    5) Why does zimbra give me on the admin webui the possibility to set the time for the server certificate to 10 years but only creates an ca certificate that is valid for one year? If the ca expires also the server certificate is invalid.

    yogg

  2. #2
    Join Date
    Dec 2009
    Posts
    24
    Rep Power
    6

    Default

    I have now made some tests.

    It seems on a single server installation there are absolute no problems if an certificate is invalid. I can't find any problems.
    Zimbra does also not automatically renew the certificates.

    On a Master/Slave system invalid certificates are a problem. All slaves connect to the master LDAP server over tls encryption.
    If the certificate of the master is invalid the connections fail.
    Also all Slaves need the ca certificate of the master in "/opt/zimbra/conf/ca".
    The Problem here is zimbra does not automatically redeploy the certificate if it gets invalid.
    After an year the LDAP replication stops without any warning. I think it would be good if the administrator gets an mail or something else.

    I check now all certificates with an Nagios script.


    I have also now checked the zmcertmgr script now. If I change some variables direct in the script I can create certificates with longer keys and other options.

    But I would be happy if someone who knows some more details about the system can post here.
    Are there any limitations in the zimbra System?
    Something like zimbra only supports keys with a maximum length of 2048 bits, only md5 and sha1 are supported, ...
    I hope there are none

    yogg

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 04:31 AM
  2. [SOLVED] Help, I think I am running Zimbra as root!
    By primaxx in forum Administrators
    Replies: 9
    Last Post: 10-06-2010, 12:04 PM
  3. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  4. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •