Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Certificates for multiple domains

  1. #1
    Join Date
    Feb 2006
    Location
    Manchester, UK
    Posts
    88
    Rep Power
    9

    Default Certificates for multiple domains

    I have a Zimbra server hosting multiple, unrelated, domains. Users connect by pointing their web browsers at their own domain.

    Can I set up a certificate to cover the different domains, or do I need one certificate per domain?

  2. #2
    Join Date
    Nov 2005
    Posts
    55
    Rep Power
    9

    Default Purpose for the certs matters

    This is a complex question because the answer is not so straight forward.

    Two of the purposes for certificates are encryption and host validation. You can always use one cert for multiple domains and you will get the encryption part of this process. But the host validation will not be correct, for example the cert is signed for 'mail.domain.com', so a request to 'mail.example.com' will not match the hostname, and will consequently trigger a warning. Assuming users ignore this warning they will still get the encryption part of the TSL.

    Getting a warning is no small thing. Many small footprint clients will not even prompt on a warning, they will simply fail (this is common on mobile browsers). Additionally many users are not sophisticated enough to understand what the warning means, so they will not proceed.

    Considering you will also generate a warning with most self signed certs it may not be an issue, if you were going to go this route anyway.

    If on the other hand you want to purchase multiple certificates, I will tell you that configuring this is not so simple. Apache cannot do name-based virtual hosting with multiple certs, so if you want to go this route you will have to do IP based virtual hosting, which gets much more involved (mapping multiple IPs to one NIC, etc), which you will likely have to do a lot of surgury on Zimbra apache instance to make work.
    Last edited by Coilcore; 11-03-2006 at 11:05 AM.

  3. #3
    Join Date
    Jan 2007
    Posts
    1
    Rep Power
    8

    Default

    Follow the instructions here ---
    http://wiki.zimbra.com/index.php?tit...icate_Problems

    pay special attention to this line

    If you wish to have several names on the certificate, supply them as arguments

    zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

  4. #4
    Join Date
    Oct 2005
    Location
    Milwaukee, WI
    Posts
    34
    Rep Power
    10

    Default

    I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

    "You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

    Anyone have this working for multi hostname machines?

    Dan



    Quote Originally Posted by cree13 View Post
    Follow the instructions here ---
    http://wiki.zimbra.com/index.php?tit...icate_Problems

    pay special attention to this line

  5. #5
    Join Date
    Oct 2005
    Location
    Milwaukee, WI
    Posts
    34
    Rep Power
    10

    Default

    bumping this

    Quote Originally Posted by DanCody View Post
    I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

    "You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

    Anyone have this working for multi hostname machines?

    Dan

  6. #6
    Join Date
    Jan 2006
    Location
    Lafayette, LA
    Posts
    81
    Rep Power
    9

    Default

    Also interested in a resolution for this. IE7 gives a nasty error message that most users assume can't be gotten past. I blame IE for making such a menacing error page, but it sure would be nice to have a way around it.

  7. #7
    Join Date
    Feb 2007
    Location
    Vancouver, BC, Canada
    Posts
    16
    Rep Power
    8

    Default

    I’m trying to create ca cert by following this link http://wiki.zimbra.com/index.php?tit...28as_zimbra.29. But why my data won’t change for ‘/C= /O= /OU=’. Here is result.

    Code:
    [zimbra@zimbra ~]$ zmcreatecert
    ** Importing CA
    
    Certificate was added to keystore
    ** Creating keystore
    
    ** Creating server cert request
    
    Generating a 1024 bit RSA private key
    .++++++
    ..........................................++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request
    
    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number:
                11:75:29:08:97
            Validity
                Not Before: Mar 30 21:41:39 2007 GMT
                Not After : Mar 28 21:41:39 2012 GMT
            Subject:
                countryName               = CA
                stateOrProvinceName       = N/A
                organizationName          = Myorg Intl.
                organizationalUnitName    = Myorg
                commonName                = zimbra.myorg.com
            X509v3 extensions:
                X509v3 Basic Constraints:
                CA:FALSE
                Netscape Comment:
                OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                C1:28:E7:0E:EF:04:2A:2E:C5:48:B4:E6:C8:DD:39:B1:A3:33:DD:A3
                X509v3 Authority Key Identifier:
                DirName:/C=CA/ST=N/A/L=N/A/O=Myorg Intl./OU=Myorg/CN=zimbra.myorg.com
                serial:00
    
                X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
    Certificate is to be certified until Mar 28 21:41:39 2012 GMT (1825 days)
    
    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zimbra.myorg.com
    Getting CA Private Key
    unable to write 'random state'
    Am I doing something wrong?
    Thanks!
    [Working together for better community]

  8. #8
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Search the wiki for that term.
    I think you'll find your answer

  9. #9
    Join Date
    Aug 2006
    Location
    Chandler, AZ
    Posts
    31
    Rep Power
    9

    Default

    So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?

    This seems to be contrary to KevinH's posting here:
    http://www.zimbra.com/forums/showthr...ltiple+domains
    where he states "I think that is correct. Please file this in bugzilla, as support for multiple domains/certs is the right way to go."

    I understand this may be a limitation of the underlying software, e.g. tomcat, but I just want to be certain that if a hosting provider wanted to offer Zimbra to business A at https: //acme.com and business B at https: //bingo.com using the same Zimbra instance, this is currently not possible.

  10. #10
    Join Date
    Feb 2007
    Location
    Vancouver, BC, Canada
    Posts
    16
    Rep Power
    8

    Default

    Even in one domain with one cert, I still can’t change the data of ‘/C= /O= /OU=’ to my own as my previous post in this thread. Still using default as ‘zimbra’, not ‘myorg’. Anyone has changed successfully? Please help!

    Hk
    [Working together for better community]

Similar Threads

  1. Advanced MTA Configuration - multiple domains
    By keyhman in forum Installation
    Replies: 6
    Last Post: 04-20-2012, 02:23 AM
  2. Sending mails to domains without use of DNS server
    By generic31 in forum Administrators
    Replies: 5
    Last Post: 08-08-2011, 03:17 AM
  3. Same user and aliases on multiple domains
    By wiscalico in forum Administrators
    Replies: 1
    Last Post: 08-01-2007, 02:37 AM
  4. Replies: 3
    Last Post: 06-07-2007, 07:19 AM
  5. Virtual Domains Breaking Themes
    By jhoelz in forum Administrators
    Replies: 0
    Last Post: 03-14-2007, 05:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •