Results 1 to 1 of 1

Thread: [SOLVED] Error on generating SSL cert: CSR contains key size that is not considered s

  1. #1
    Join Date
    Mar 2009
    Posts
    47
    Rep Power
    6

    Default [SOLVED] Error on generating SSL cert: CSR contains key size that is not considered s

    Hi,

    I just purchased a new SSL certificate for my ZCS install – a cert for the mail server – main server domain - not a hosted domain/account on said server - and when submitting the ZCS generated CSR to GeoTrust I got the following error:

    Invalid CSR
    The CSR provided is invalid. Error code is 3022296, Error Message: Error Details: -2019: Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.
    I have no problem installing other certificates for other domains on the same server though.

    The difference is this time I generated the CSR via Zimbra admin so I was wondering if that might be the problem?

    I usually use CLI to generate a CSR and a private key pair for the domains hosted on this server when renewing hosted domain certs, but I noticed in Zimbra admin there is no way to generate a private key so could that be the problem?

    Should I generate the CSR (and privatekey) via CLI as I usually do? At present I am just using a self signed certificate for the main mail server address – I generated a new self signed cert a month ago via ZCS admin by generating a CSR via admin (but not a private main server key), and it was working fine, but want to go to a commercial cert instead.

    Problem is apparently the main server cert is stored in a differet directory than my other domain certs and in zimbra admin it does not indicate where the main server cert and key and CSR are stored.

    I am running ZCS version 5.0.2 and Apache MOD SSL on a Centos 5.4 server so my mod ssl is up to date.

    As a foot note, the self signed cert, key and csr I generated last month are in /opt/zimbra/ssl/zimbra.20090305135257/server/

    Also, there are two other directories where the newly generated CSR's is located - in:

    /opt/zimbra/ssl/zimbra.20090305135257/server/server.csr
    /opt/zimbra/ssl/zimbra.20090305135332/server/server.csr
    /opt/zimbra/ssl/zimbra.20090423092315/server/server.csr
    /opt/zimbra/ssl/zimbra.20100309142016/server/server.csr
    /opt/zimbra/ssl/zimbra.20100309142035/server/server.csr
    /opt/zimbra/ssl/zimbra.20110311111113/server/server.csr
    /opt/zimbra/ssl/zimbra.20110311111200/server/server.csr


    I tried generating a second one...

    ...so ZCS seems to be placing the new csr's in different directories...

    also the older certs and keys are in different dirs as well:

    /opt/zimbra/ssl/zimbra/server/server.key
    /opt/zimbra/ssl/zimbra.20090305135257/server/server.key
    /opt/zimbra/ssl/zimbra.20090305135332/server/server.key
    /opt/zimbra/ssl/zimbra.20090423092315/server/server.key
    /opt/zimbra/ssl/zimbra.20100309142016/server/server.key
    /opt/zimbra/ssl/zimbra.20100309142035/server/server.key
    /opt/zimbra/ssl/zimbra.20110311111113/server/server.key
    /opt/zimbra/ssl/zimbra.20110311111200/server/server.key

    /opt/zimbra/ssl/zimbra/server/server.crt
    /opt/zimbra/ssl/zimbra.20090305135332/server/server.crt
    /opt/zimbra/ssl/zimbra.20090423092315/server/server.crt
    /opt/zimbra/ssl/zimbra.20100309142016/server/server.crt
    /opt/zimbra/ssl/zimbra.20100309142035/server/server.crt
    /opt/zimbra/ssl/zimbra.20110311111113/server/server.crt
    /opt/zimbra/ssl/zimbra.20110311111200/server/server.crt

    I was wondering if I should just go ahead and do this via CLI instead of Zimbra admin? I want to make sure I do this correctly If I remember correctly some time ago I tried to do it via CLI and could not get the commercial cert for main server address installed correctly and the mail server would not function until I did a self signed cert,even though generating certs via Command Line Interface method worked OK for my other domains.

    Thanks for any insights or info.
    Last edited by nadsab; 04-05-2011 at 05:39 AM.

Similar Threads

  1. ZD untrusted Verisign SSL cert
    By JaymeH in forum General Questions
    Replies: 10
    Last Post: 01-12-2012, 05:39 AM
  2. SSL Cert renewal
    By Sharpey in forum Administrators
    Replies: 1
    Last Post: 01-07-2011, 11:32 AM
  3. Stats problems!!
    By mmike in forum Administrators
    Replies: 7
    Last Post: 03-25-2008, 09:33 PM
  4. Error in my /tmp/gengraphs.out file
    By Xao in forum Installation
    Replies: 9
    Last Post: 01-04-2008, 08:32 PM
  5. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •