Results 1 to 3 of 3

Thread: Zimbra integration within existing PKI

  1. #1
    Join Date
    Sep 2012
    Rep Power

    Default Zimbra mutual authentication for webmail access

    Hi all,

    I am having trouble integrating my test-architecture within an existing PKI. The architecture I work on is described in this thread :

    My goal here is to get rid of Zimbra's self-signed certificates and replace them with certificates signed by my PKI. (The next goal after this integration would be to authenticate the user themselves in order to have an architecture where I have two factor authentication. (User's certificates + their logins))

    I have read the wiki and browsed the forum, and the main sources of information that I could find are the following :
    Category:Certificates - Zimbra :: Wiki [Outdated]

    I am currently following these instructions : Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    I made a CSR from the admin gui (selecting "all servers"), that I signed on my PKI. I have two files : the certificate itself, and the corresponding certificate chain. I checked the response :
    [root@mailbox01 zimbra]# /opt/zimbra/bin/zmcertmgr verifycrtkey comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/cert.crt
    ** Verifying /root/cert.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/cert.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    I moved the response to the appropriate folder :
     [root@mailbox01 zimbra]# cp /root/cert.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    I then tried to deploy the certificate :
    [root@mailbox01 zimbra]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt: C = FR, ST = bla, L = foo, O = bar, CN =
    error 20 at 0 depth lookup:unable to get local issuer certificate
    XXXXX ERROR: provided cert isn't valid.
    I understand that I need to install the authority corresponding to my PKI inside zimbra (as this is not a public one) but I cannot figure out where to do that...

    Anyone have already gone through this kind of things ?

    Sincerely yours,
    Last edited by tpouzet; 09-24-2012 at 07:51 AM.

  2. #2
    Join Date
    Sep 2012
    Rep Power


    Well, I have the source of my problem. I assumed that, since I already added the CA certificate to the keystore :
     /opt/zimbra/bin/zmcertmgr addcacert ca.crt
    I did not needed to provide it when installing the response to the csr... I ran the following command :
    /opt/zimbra/bin/zmcertmgr deploycrt comm response.crt ca.crt
    Now my own CA is correctly installed on my servers.

    After this step, I tried to install dual SSL authentication following these notes : Gautam-Notes - Zimbra :: Wiki but as usual, nothing works as I expect.

    What I have now :
    -When browsing to, I am prompted to provide a certificate. I provide a user certificate issued by a CA that I have installed with "zmcertmgr addcacert". (This is the same CA as the one that issued my server's certificates.)
    I am then redirected toward a wonderful 403 page...
    HTTP ERROR: 403
    You are not allowed to access this page.
    This behavior is actuelly regardless of the user certificate that I give. I added ",handshake,data,trustmanager" in localconfig key mailboxd_java_options but I could not obtain relevant traces in zmmailboxd.out ...

    Does anyone have tips on this now ? There is actually very few information on the WWW about Zimbra's dual SSL authentication...

    Sincerely yours,

  3. #3
    Join Date
    Sep 2012
    Rep Power


    I am still working on this configuration, and still do not have any solution so far...
    • I gave up trying to perform the double authentication through the proxies (to make it simpler)
    • I still have the 403 webpage when accessing and providing the user's certificate.
    • I performed a full reinstallation of my test servers to run ZCS 8.0.0 instead of the 7.2 that I used to have, and I still did not had any progress with this configuration...

    I am sure that I am close to the goal, but I really don't know how to make it work... Am I the only one trying to perform this double authentication around here ?


Similar Threads

  1. Existing Mail Server Integration
    By jstraten in forum Installation
    Replies: 4
    Last Post: 09-23-2010, 08:18 PM
  2. Integration of ZCS into existing network
    By andreash in forum Migration
    Replies: 1
    Last Post: 03-04-2010, 10:39 AM
  3. Integration with existing LDAP
    By jsabater in forum Administrators
    Replies: 2
    Last Post: 10-10-2008, 03:09 AM
  4. Integration with existing Samba, is this possible?
    By wolrah in forum Administrators
    Replies: 0
    Last Post: 07-26-2007, 07:30 AM
  5. integration with existing services?
    By pyperdown in forum Administrators
    Replies: 4
    Last Post: 12-20-2005, 11:31 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts