Hello, all. We have been struggling a bit to integrate Zimbra with our existing OpenCA based PKI. We have a two server environment right now: a main Zimbra server with all services installed and activated except AntiSPAM on the MTA and then a second Zimbra server functioning as an Internet MTA in the DMZ. Generating the CSR for the main system went as expected.
However, when we created the Internet MTA and generated a CSR via the administration console, all seemed fine until we went to approve the CSR. The CSR has the cn of the main server and not the Internet MTA! We double checked by re-issuing the CSR but, sure enough, the same thing.
Argh!!! We attempted to issue the cert anyway by editing the request. We normally do this anyway in order to change the geographically oriented C=, O= into DC syntax, to add the missing subjAltName fields, to add non FQDN fields to the subjAltName (so the devices can be access via hostname by those in the same domain), and to add IP addresses to the subjAltName. We were assuming the problem was simply putting the wrong cn into the CSR and not passing the wrong key. WRONG! Zimbra is passing the main server key for the CSR for the separate MTA server. Our CA flags it as a duplicate key. Perhaps this is the way it is supposed to work but I assume it is a bug.
We'll try living with using the internally generated certs for the Internet MTA; it does not appear to be affecting communication yet.
We are running Zimbra GA16 on CentOS 5.3 in a VServer 2.3.x guest with kernel 220.127.116.11 - John
PS - we also noticed the subjAltName was missing from both requests