Results 1 to 3 of 3

Thread: Multi-Node Self-Signed Certificate

  1. #1
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default Multi-Node Self-Signed Certificate

    Hi ALL,

    I just want to know how to create Multi-Node Self-Signed Certificate since I have 3 servers.

    mta1 where ldap1 is installed
    mta2 where ldap replica is installed
    mailbox server

    I use zimbra 7.2 64 bit. After installing I did below commands to get Multi-Node Self-Signed Certificates.

    Multi-Node Self-Signed Certificate

    1. Begin by generating a new Certificate Authority (CA).

    /opt/zimbra/bin/zmcertmgr createca -new

    2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.

    /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
    /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"

    3. Next, deploy the certificate to all nodes in the deployment.

    /opt/zimbra/bin/zmcertmgr deploycrt self -allserver

    4. To finish, verify the certificate was deployed.

    /opt/zimbra/bin/zmcertmgr viewdeployedcrt


    source - Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    But, I can't get 3 servers running after restarting zimbra (zmcontrol restart). It says unable to determine enabled services from ldap.

    Now, I can't start mta1 server with zmcontrol start . It always says

    unable to determine enabled services from ldap. Enabled serives read from cache. Service list may be inaccurate

    I ran all the above commands on mta1 server since primary ldap is running there?

    Should I run those commands on all 3 servers?



    another URL is here

    How to re-create self-signed certificate in a multiserver platform? - Zimbra :: Wiki

    a little bit different there.


    Now, I think whatever to do. We will have to start primary ldap server ( in my case mta1) first.

    So should I issue a SINGLE NODE self signed certificate in this way.


    Single-Node Self-Signed Certificate

    1. Begin by generating a new Certificate Authority (CA).

    /opt/zimbra/bin/zmcertmgr createca -new

    2. Then generate a certificate signed by the CA that expires in 365 days.

    /opt/zimbra/bin/zmcertmgr createcrt -new -days 365

    3. Next deploy the certificate.

    /opt/zimbra/bin/zmcertmgr deploycrt self

    4. Next deploy the CA.

    /opt/zimbra/bin/zmcertmgr deployca

    5. To finish, verify the certificate was deployed to all the services.

    /opt/zimbra/bin/zmcertmgr viewdeployedcrt


    source - Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    Hope to hear from you. Really waiing fro your reply.

  2. #2
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    173
    Rep Power
    3

    Default

    Why dont you simply copy the CA and key file on the rest of the server and deploy crt

  3. #3
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    Quote Originally Posted by Raunaq View Post
    Why dont you simply copy the CA and key file on the rest of the server and deploy crt

    i.e- ca.pem and ca.key files? in this way?

    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mta2:/opt/zimbra/conf/ca/
    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mailbox:/opt/zimbra/conf/ca/


    Could You pls let me know if these steps are correct?


    On mta1 (where ldap master is running) , I run these commands.


    /opt/zimbra/bin/zmcertmgr createca -new

    /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"


    /opt/zimbra/bin/zmcertmgr deploycrt self


    /opt/zimbra/bin/zmcertmgr deployca


    Then, scp ca.pem and ca.key to mta2 (where ldap replica is running) and mailbox servers

    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mta2:/opt/zimbra/conf/ca/
    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mailbox:/opt/zimbra/conf/ca/



    on mat2 and mailboxserver

    /opt/zimbra/bin/zmcertmgr deploycrt self



    Then, On ALL nodes ( mta1,mta2 and mailbox )

    su - zimbra -c 'zmcontrol restart'

Similar Threads

  1. Migration from Multi-Node Mail Cluster to Single Node?
    By tclaydon in forum Administrators
    Replies: 1
    Last Post: 03-17-2014, 04:29 AM
  2. Replies: 0
    Last Post: 01-25-2013, 12:23 AM
  3. Replies: 2
    Last Post: 01-18-2013, 11:45 PM
  4. multi-node commercial certificate installation?
    By tiger2000 in forum Administrators
    Replies: 3
    Last Post: 01-06-2013, 08:12 PM
  5. sinlge node to multi node migration
    By baktolio in forum Migration
    Replies: 2
    Last Post: 04-04-2010, 09:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •