Results 1 to 6 of 6

Thread: Need help t install SSL Certificate from old server that wasn't backed up please

  1. #1
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default Need help t install SSL Certificate from old server that wasn't backed up please

    Hello,

    My hard drive fried itself and I stupidly did not have a backup at all.

    I installed a brand new install of Zimbra 7.1 open source on Ubuntu 10.04 64-bit. My prior install was Ubuntu 8.04 64-bit with 6.0.xx.

    I have the current.csr from the old server and the certificates from StartSSL. I know how to do this if I made a brand new request to the provider and they gave me a brand new certificate. However, I don't know how to tell my current server to use the old CSR.

    Can anybody tell me how to do this? It seems all the wiki and forum information is mainly on how to do a restore from backup or a new request/import.

    Thank you,

    kazooless

  2. #2
    Join Date
    Jan 2010
    Location
    PT
    Posts
    28
    Rep Power
    5

    Default

    Hello,
    I will assume this is a commercial cert.
    Try to find the following files in the old server,
    commercial_ca.crt / commercial.csr / commercial.key

    I have used this steps to install a cacert,

    Backup and Clean Current Certs
    <code>su - root
    cd /opt/zimbra/ssl/zimbra/commercial/
    tar -czvf /tmp/ssl.commercial.backup.tar.gz *
    rm -rf *</code>

    Generate new csr (certificate request)
    <code>/opt/zimbra/bin/zmcertmgr createcsr comm -new</code>

    This uses the defaults, change according
    <code>/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=Department/CN=mail.domain.com"</code>

    Verify files presence,
    <code>ls -la</code>

    Should list,
    commercial_ca.crt / commercial.csr / commercial.key

    Cat the csr and submit to cacert.org,
    <code>cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr</code>

    Result,
    <code> -----BEGIN CERTIFICATE REQUEST-----
    [delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0Ex DDAKBgNV
    [delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3Vp dGUxIzAh
    [delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQ DExttYWls
    [delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQA DgY0AMIGJ
    [delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m
    [delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8G hpqHO0Y75
    [delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq
    [delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqG SIb3DQEB
    [delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT
    [delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy
    [delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi
    -----END CERTIFICATE REQUEST-----</code>

    Paste the cert generated by cacert.org,
    <code>nano /opt/zimbra/ssl/zimbra/commercial/commercial.crt</code>

    Get cacert root.crt and class3.crt and cat both in one file
    <code>cat root.crt class3.crt > commercial_ca.crt</code>

    <code>/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key ./commercial.crt ./commercial_ca.crt </code>

    If the output looks good, you can deploy the certificate via this command:

    <code>/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt</code>

    The final step would be to restart the zimbra services for the change to take effect.

  3. #3
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default

    Onze,

    Thank you for the quick reply. The problem is that I don't have any access to the file system of the dead hard drive, so I can't get the actual files that were in /opt/zimbra directory.

    What I do have is the CSR that the old server generated which is what I copied and pasted to the commercial cert provider. I also have the certificate that the commercial provider gave me in response to the CSR the old server generated. (Yes, this is a commercial cert. It is from StartSSL and there is a wiki and plenty of forum posts about this particular provider.)

    So, are you saying I should generate a new CSR with the new server, but then there is a way to replace the newly generated CSR with the old CSR? I am sure if I create a new CSR, then the hash and all that won't match with the cert they provided to me for the old CSR. So I need the new server to use the old CSR to match up with the already provided certs.

    Does that make better sense what my problem is?

    kazoo

  4. #4
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default

    Yup, unless someone can tell me otherwise, it looks like I need more than just the old CSR. It looks like I need the old commercial.key (Private Key) as well. I could kick myself for not getting at least an initial backup when I finished the full install. Ugh.

    This is what I get when I try to import the commercial certificate with the old and the new CSR:

    root@mail:~/ssl# cd /opt/zimbra/bin
    root@mail:/opt/zimbra/bin# ./zmcertmgr deploycrt comm /home/jeff/ssl/ssl.crt /home/jeff/ssl/ca_bundle.crt
    ** Verifying /home/jeff/ssl/ssl.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Unmatching certificate (/home/jeff/ssl/ssl.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    XXXXX ERROR: provided cert isn't valid
    .

    This is from following step number 5 on this wiki: Installing a StartSSL SSL Certificate with zmcertmgr - Zimbra :: Wiki

    So, I guess I'm back to making another request with StartSSL. Unfortunately, even though they are free for your cert, if you have to revoke a cert and redeploy then they charge you. Live and learn.

    Before I do, does anybody have any information that might tell me I'm wrong and there is a way to deploy with the old CSR but not the old private key?

    kazoo

  5. #5
    Join Date
    Jan 2010
    Location
    PT
    Posts
    28
    Rep Power
    5

    Default

    Hello,
    Have you considered cacert.org?

    Regards

  6. #6
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default

    That looks pretty cool. I didn't know about them. I just went ahead and paid to revoke the old cert. They did it quickly and I quickly made and successfully installed a new one. Live and learn.

    I have a backup now of all the documents, and I am in the middle of working through all the documentation regarding an automated backup of the open source product.

    Thanks for the help!

    kazoo

Similar Threads

  1. Replies: 0
    Last Post: 01-15-2008, 12:33 PM
  2. Replies: 5
    Last Post: 11-19-2007, 09:26 AM
  3. Replies: 1
    Last Post: 11-13-2007, 03:27 AM
  4. install on shared server
    By briansthomas in forum Installation
    Replies: 1
    Last Post: 01-26-2006, 04:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •