Results 1 to 7 of 7

Thread: Install a commercial SSL certificate ??

  1. #1
    Join Date
    Nov 2005
    Posts
    12
    Rep Power
    10

    Question Install a commercial SSL certificate ??

    I read one Web address about installing SSL certificate at wiki.zimbra.com/index.php?title=SSL_Certificate_Problems referred by Kevin.

    This works great for installing self-signed certifcate by following the said instruction:
    Clean up SSL Certificate and recreate a new self-signed cert:----
    as root:
    rm -rf /opt/zimbra/ssl
    mkdir /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/ssl

    su - zimbra
    (all one line here: )

    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    (again, all one line: )
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    zmcreateca
    zmcreatecert
    zmcertinstall mailbox ssl/ssl/server/tomcat.crt
    zmcertinstall mta ssl/ssl/server/server.crt ss/ssl/server/server.key


    However, when I did the following instruction as suggested to install a commerical SSL certificate, I experienced errors.
    Instruction:
    To Install a commerical SSL certificate first remove the self signed cert:
    su - zimbra
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    then using your new certificate and key run:
    zmcertinstall mailbox ssl/ssl/server/commercial.crt
    zmcertinstall mta ssl/ssl/server/commercial.crt ssl/ssl/server/commercial.key

    I have 2 questions:
    1) An error occurred when I tried to execute " keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra " (without quotes). Why is this command different from the one being used for the self-signed certificate ?

    2) The instruction does not tell us how to generate a commerical.csr that is required by a commercial CA. I recall I used openssl to generate a commercial.csr in the past. Now with Zimbra, do we need to run zmcreateca once to get the server.csr to be used for applying a commerical.crt ? (note: I tried to use the server.csr generated by zmcreateca to get a free 1-month certificate at geotrust Web site. When I did the zmcertinstall mailbox ... , it generated an error.) Also, how can I set the password for the private key ?

    Please advise.

    Thanks,
    nick20

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    Quote Originally Posted by nick20
    I have 2 questions:
    1) An error occurred when I tried to execute " keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra " (without quotes). Why is this command different from the one being used for the self-signed certificate ?
    What error occurred? The command is the same, you just have to tell it which cert file.
    2) The instruction does not tell us how to generate a commerical.csr that is required by a commercial CA. I recall I used openssl to generate a commercial.csr in the past. Now with Zimbra, do we need to run zmcreateca once to get the server.csr to be used for applying a commerical.crt ? (note: I tried to use the server.csr generated by zmcreateca to get a free 1-month certificate at geotrust Web site. When I did the zmcertinstall mailbox ... , it generated an error.) Also, how can I set the password for the private key ?

    Please advise.

    Thanks,
    nick20
    That info should be available from your cert supplier.

  3. #3
    Join Date
    Nov 2005
    Posts
    12
    Rep Power
    10

    Question The error

    I executed the command:

    zimbra@webmail:~> keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Keytool error: java.lang.Exception: Alias my_ca does not exist


    This is the error. What do you think ?

    Also, the commercial.csr (Certificate Signing Request) is not available from the cert supplier. In the past, I generated using openssl. Now, this zimbra system uses keytool that I have never used before. Could you please give me a clue how to generate the CSR for signing with my cert supplier to get a commercial digital SSL certificate ?

    - nick20

  4. #4
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    that means that it's already been deleted.

    As for your commercial cert, you really need to get the info from your cert supplier - they may want different things, so I don't feel qualified to tell you what to give them.

  5. #5
    Join Date
    Nov 2005
    Posts
    12
    Rep Power
    10

    Exclamation Geotrust instruction to generate CSR

    Thanks for marcmac's encouraging statement !

    I did a google search and found geotrust instruction on how to generate CSR.

    -------------------------------------------------------------------------------------
    http://www.geotrusteurope.com/suppor...rta_tomcat.htm

    Generate a Certificate Signing Request (CSR) for an SSL Certificate from GeoTrust
    Jakarta-Tomcat

    Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to GeoTrust in order to be generated into a SSL Security Certificate.

    If you are not using JDK 1.4 or higher, you must download and install "Java Secure Socket Extensions" JSSE.

    1. Generate a private key with the following command:

    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/domainname.kdb

    You will be prompted for a password. Tomcat uses a default password of "changeit". If you use a different password, you will need to specify a custom password in the server.xml configuration file.

    The next field that you will be prompted for is "What is your first and last name?" At this prompt, you must specify the common name (FQDN) of your web site.

    You will then be prompted for your organizational unit, organization, etc.

    .2. Generate the Certificate Signing Request (CSR)

    $JAVA_HOME/bin/keytool -certreq -alias tomcat -keystore /path/to/keystore.kdb -file filename.csr

    You will not be prompted for the common name, organization, etc. The keytool will use the values that you specify when generating the private key.

    3. Now go to GeoTrust, select your certificate product and click the relevant Order Now button. Make sure that you have your CSR file handy - you will need this during the enrollment process. Go through steps for purchasing a certificate and paste your certificate request in block when prompted
    Be sure to include -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----

    4. Make a backup of the keystore.kdb key database. GeoTrust is not responsible if your server crashes and this file is lost.
    --------------------------------------------------------------------------------------------

    After obtaining a CSR and then the crt file from geotrust, I did successfully on the following to install a commercial SSL certificate:

    su - zimbra
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    then using your new certificate and key run:
    zmcertinstall mailbox ssl/ssl/server/commercial.crt

    EXCEPT:
    zmcertinstall mta ssl/ssl/server/commercial.crt ssl/ssl/server/commercial.key

    It's because I don't have a commercial.key file. I assume that it should have been generated and encoded in the domainname.kdb (keystore file). Is there a way to extract the commercial.key file from the keystore file ? If not, what will be an alternative way to generate the private key file ?

    - nick20

  6. #6
    Join Date
    Jun 2010
    Posts
    3
    Rep Power
    5

    Default Installing GoDaddy SSL Certificate on Zimbra versions 5 and 6

    Here's a lengthy write up I made using information from several threads:

    IT Bang Bang: Installing $12.99 GoDaddy SSL Certificate on Zimbra versions 5 and 6

    I hope it helps people get their Certificates properly set up.

    Leave me comments if it worked.

  7. #7
    Join Date
    Nov 2009
    Posts
    7
    Rep Power
    6

    Default How to reuse SSL certificate?

    Thanks for the step-by-step instructions!
    Last edited by diallo0024; 06-23-2010 at 05:35 AM.

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 05:16 PM
  2. Certificate Change Kicks Moto Q off of SSL Synch
    By theasbcguy in forum Zimbra Mobile
    Replies: 3
    Last Post: 04-14-2008, 01:01 PM
  3. Commercial SSL Certificates and IMAP/POP
    By manthrax3 in forum Administrators
    Replies: 8
    Last Post: 10-27-2007, 05:43 PM
  4. SSL certificate format problems
    By didde in forum Installation
    Replies: 0
    Last Post: 07-02-2007, 12:03 PM
  5. Commercial SSL certtificate installation
    By Daryl Jones in forum Installation
    Replies: 6
    Last Post: 02-13-2006, 12:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •