Results 1 to 7 of 7

Thread: SSL with a 2048 bit Cert

  1. #1
    Join Date
    Apr 2007
    Posts
    4
    Rep Power
    8

    Question SSL with a 2048 bit Cert

    [Solution below]

    I use StartCom for my certs. This year they require 2048 bit or higher key on the CSR.

    It seems that my current version of Zimbra, 5.0.10_GA open source edition, always generates CSR's as a 1024 bit key.

    Is there a way I can change this?

    Do nerwer versions support this?

    Do I have to use the CLI, and if so, can you point me to the right instructions for this version?

    Thank you for your time.

    --Solution--
    5.0.10_GA is hard coded to use 1024, future versions 6.0.0_RC1 and up should support greater than 1024bit keys. See Bug 36313 – Option to specify key length for SSL certificate

    As a workaround, I edited the following file:
    opt/zimbra/bin/zmcertmgr

    I replaced 1024 with 2048 anywhere in the file.
    I then regenerated the CSR with the management utility and all was good.

    Thanks to brian for info on the new version support, and to Rich Graves for info on JCE (see post below about JCE if you still have issue)
    Last edited by mugendai; 06-24-2009 at 01:24 PM. Reason: Solution posted

  2. #2
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    It's a limitation of the Sun Java distribution.

    You need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy." No URL provided because it moves; search for it.

    This will also upgrade symmetric ciphers from AES128 to AES256.

  3. #3
    Join Date
    Apr 2007
    Posts
    4
    Rep Power
    8

    Default

    Quote Originally Posted by Rich Graves View Post
    You need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy."
    Unfortunately that isn't working out for me.
    I got the unlimited strength policy, and replaced the existing policy files with them.
    "/opt/zimbra/java/jre/lib/security"

    I then restarted zimbra with zmcontrol stop then start

    I then attempted to generate a new CSR using the administration site.
    I sent the CSR to the CA and again they denied it because it is still 1024.

    Is there something more I need to do to get Zimbra to generate a 2048 or higher cert?

    Thanks again.

  4. #4
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    zmcertmgr currently hardcodes the csr and key generation to 1024 bits. This is fixed for the 6.0.0_RC1 release.

    Bug 36313 – Option to specify key length for SSL certificate
    Bugzilla - Wiki - Downloads - Before posting... Search!

  5. #5
    Join Date
    Apr 2007
    Posts
    4
    Rep Power
    8

    Default

    Quote Originally Posted by brian View Post
    zmcertmgr currently hardcodes the csr and key generation to 1024 bits. This is fixed for the 6.0.0_RC1 release.

    Bug 36313 – Option to specify key length for SSL certificate
    That nailed it on the head. Thanks.

    I'll edit my OP and setup a solved.

  6. #6
    Join Date
    Apr 2007
    Location
    Los Gatos, CA
    Posts
    138
    Rep Power
    8

    Default

    Quote Originally Posted by mugendai View Post
    As a workaround, I edited the following file:
    opt/zimbra/bin/zmcertmgr

    I replaced 1024 with 2048 anywhere in the file.
    I then regenerated the CSR with the management utility and all was good.
    Confirmed. Workaround is successful with GoDaddy certs and Zimbra v5.0.20.

  7. #7
    Join Date
    Jul 2008
    Posts
    78
    Rep Power
    7

    Default

    Also confirming. Worked with Zimbra OSS 5.0.13_GA and NetworkSolutions.

Similar Threads

  1. [SOLVED] remove ssl cert passphrase
    By alto in forum Administrators
    Replies: 1
    Last Post: 05-15-2009, 04:17 AM
  2. SSL Cert Questions
    By playnada in forum Administrators
    Replies: 3
    Last Post: 05-06-2008, 10:22 AM
  3. [SOLVED] SSL Cert Import IE/windows broken?
    By raj in forum Installation
    Replies: 4
    Last Post: 01-28-2008, 06:48 PM
  4. [SOLVED] Tomcat ignoring new SSL cert?
    By gkra in forum Administrators
    Replies: 1
    Last Post: 09-07-2007, 10:44 AM
  5. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •