I just purchased a new SSL certificate for my ZCS install – a cert for the mail server – main server domain - not a hosted domain/account on said server - and when submitting the ZCS generated CSR to GeoTrust I got the following error:
I have no problem installing other certificates for other domains on the same server though.Invalid CSR
The CSR provided is invalid. Error code is 3022296, Error Message: Error Details: -2019: Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.
The difference is this time I generated the CSR via Zimbra admin so I was wondering if that might be the problem?
I usually use CLI to generate a CSR and a private key pair for the domains hosted on this server when renewing hosted domain certs, but I noticed in Zimbra admin there is no way to generate a private key so could that be the problem?
Should I generate the CSR (and privatekey) via CLI as I usually do? At present I am just using a self signed certificate for the main mail server address – I generated a new self signed cert a month ago via ZCS admin by generating a CSR via admin (but not a private main server key), and it was working fine, but want to go to a commercial cert instead.
Problem is apparently the main server cert is stored in a differet directory than my other domain certs and in zimbra admin it does not indicate where the main server cert and key and CSR are stored.
I am running ZCS version 5.0.2 and Apache MOD SSL on a Centos 5.4 server so my mod ssl is up to date.
As a foot note, the self signed cert, key and csr I generated last month are in /opt/zimbra/ssl/zimbra.20090305135257/server/
Also, there are two other directories where the newly generated CSR's is located - in:
I tried generating a second one...
...so ZCS seems to be placing the new csr's in different directories...
also the older certs and keys are in different dirs as well:
I was wondering if I should just go ahead and do this via CLI instead of Zimbra admin? I want to make sure I do this correctly If I remember correctly some time ago I tried to do it via CLI and could not get the commercial cert for main server address installed correctly and the mail server would not function until I did a self signed cert,even though generating certs via Command Line Interface method worked OK for my other domains.
Thanks for any insights or info.