Results 1 to 2 of 2

Thread: Generating New Self-Signed Certs and CA- Multiple Servers

Hybrid View

  1. #1
    Join Date
    Jul 2012
    Rep Power

    Default Generating New Self-Signed Certs and CA- Multiple Servers

    I have a 2 NE Release 6.0.7_GA_2473 server installation with a master LDAP and a Replica. All the procedures I found for updating the CA and cert does not specify in which server do what, can anybody give me a procedure for updating the self-signed cert and CA in a Multiple Server install?

    I lost ldap replication after updating from the Administration Console Certificates Tools. Then followed the procedure described for the CLI from VMware KB: Managing certificates with the Zimbra Collaboration Server Administration Console and CLI tools but still not working.


  2. #2
    Join Date
    Jan 2009
    Rep Power


    If you mean the internal certs that expire after 1 year, this worked for me:
    as root, on the ldap master only, create a new 10 year CA:
    /opt/zimbra/bin/zmcertmgr createca -new -days 3650
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
    This command should now install the CA cert to each of your other mail servers, the output looks something like this, for each server that it iterates through:
    STARTCMD: sudo /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    ENDCMD: sudo /opt/zimbra/bin/zmcertmgr deploycrt self
    Check on each server, that your CA cert stuff in /opt/zimbra/ssl/zimbra/ca/ is updated, if not, you might have to manually copy them over from your LDAP master.

    Then on each of your mail servers, run these to create the cert proper:
    /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
    /opt/zimbra/bin/zmcertmgr deploycrt self

    Hope this helps.
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

Similar Threads

  1. sendRequest with self-signed certs
    By mandreko in forum Zimlets
    Replies: 0
    Last Post: 06-10-2011, 05:44 AM
  2. Upgrading NE 6.0.4 to NE 6.0.7 Self-signed Certs
    By parixit in forum Administrators
    Replies: 6
    Last Post: 06-24-2010, 01:46 PM
  3. Replies: 1
    Last Post: 10-11-2009, 11:28 PM
  4. Generating New Self-Signed Certs - Multiple Servers
    By Chewie71 in forum Administrators
    Replies: 1
    Last Post: 02-07-2008, 09:15 PM
  5. Addition self signed certs
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-17-2006, 11:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts