Certificates for multiple domains

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
11447iain
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 10:04 pm

Certificates for multiple domains

Postby 11447iain » Thu Nov 02, 2006 8:48 am

I have a Zimbra server hosting multiple, unrelated, domains. Users connect by pointing their web browsers at their own domain.
Can I set up a certificate to cover the different domains, or do I need one certificate per domain?


Coilcore
Advanced member
Advanced member
Posts: 54
Joined: Fri Sep 12, 2014 10:00 pm

Certificates for multiple domains

Postby Coilcore » Thu Nov 02, 2006 12:56 pm

This is a complex question because the answer is not so straight forward.
Two of the purposes for certificates are encryption and host validation. You can always use one cert for multiple domains and you will get the encryption part of this process. But the host validation will not be correct, for example the cert is signed for 'mail.domain.com', so a request to 'mail.example.com' will not match the hostname, and will consequently trigger a warning. Assuming users ignore this warning they will still get the encryption part of the TSL.
Getting a warning is no small thing. Many small footprint clients will not even prompt on a warning, they will simply fail (this is common on mobile browsers). Additionally many users are not sophisticated enough to understand what the warning means, so they will not proceed.
Considering you will also generate a warning with most self signed certs it may not be an issue, if you were going to go this route anyway.
If on the other hand you want to purchase multiple certificates, I will tell you that configuring this is not so simple. Apache cannot do name-based virtual hosting with multiple certs, so if you want to go this route you will have to do IP based virtual hosting, which gets much more involved (mapping multiple IPs to one NIC, etc), which you will likely have to do a lot of surgury on Zimbra apache instance to make work.
cree13
Posts: 1
Joined: Fri Sep 12, 2014 10:25 pm

Certificates for multiple domains

Postby cree13 » Thu Feb 15, 2007 7:24 am

Follow the instructions here ---


pay">http://wiki.zimbra.com/index.php?title=SSL_Certificate_Problems
pay
special attention to this line
[quote]If you wish to have several names on the certificate, supply them as arguments
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

[/quote]
DanCody
Posts: 34
Joined: Fri Sep 12, 2014 9:57 pm

Certificates for multiple domains

Postby DanCody » Fri Feb 16, 2007 10:54 am

I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:
"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..
Anyone have this working for multi hostname machines?
Dan

[quote user="cree13"]Follow the instructions here ---


pay">http://wiki.zimbra.com/index.php?title=SSL_Certificate_Problems
pay
special attention to this line[/QUOTE]
DanCody
Posts: 34
Joined: Fri Sep 12, 2014 9:57 pm

Certificates for multiple domains

Postby DanCody » Mon Feb 19, 2007 9:49 am

bumping this
[quote user="DanCody"]I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:
"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..
Anyone have this working for multi hostname machines?
Dan[/QUOTE]
1230zaf
Advanced member
Advanced member
Posts: 69
Joined: Fri Sep 12, 2014 10:03 pm

Certificates for multiple domains

Postby 1230zaf » Mon Mar 05, 2007 4:15 pm

Also interested in a resolution for this. IE7 gives a nasty error message that most users assume can't be gotten past. I blame IE for making such a menacing error page, but it sure would be nice to have a way around it.
htin
Posts: 16
Joined: Fri Sep 12, 2014 10:27 pm

Certificates for multiple domains

Postby htin » Fri Mar 30, 2007 5:02 pm

I’m trying to create ca cert by following this link http://wiki.zimbra.com/index.php?title=SSL_Certificate_Problems#Create_the_CA_certificate_.28as_zimbra.29. But why my data won’t change for ‘/C= /O= /OU=’. Here is result.
[zimbra@zimbra ~]$ zmcreatecert

** Importing CA
Certificate was added to keystore

** Creating keystore
** Creating server cert request
Generating a 1024 bit RSA private key

.++++++

..........................................++++++

unable to write 'random state'

writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'

-----

** Signing cert request
Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:

11:75:29:08:97

Validity

Not Before: Mar 30 21:41:39 2007 GMT

Not After : Mar 28 21:41:39 2012 GMT

Subject:

countryName = CA

stateOrProvinceName = N/A

organizationName = Myorg Intl.

organizationalUnitName = Myorg

commonName = zimbra.myorg.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C1:28:E7:0E:EF:04:2A:2E:C5:48:B4:E6:C8:DD:39:B1:A3:33:DD:A3

X509v3 Authority Key Identifier:

DirName:/C=CA/ST=N/A/L=N/A/O=Myorg Intl./OU=Myorg/CN=zimbra.myorg.com

serial:00
X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

Certificate is to be certified until Mar 28 21:41:39 2012 GMT (1825 days)
Write out database with 1 new entries

Data Base Updated

unable to write 'random state'

Signature ok

subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zimbra.myorg.com

Getting CA Private Key

unable to write 'random state'

Am I doing something wrong?

Thanks!
jholder
Zimbra Employee
Zimbra Employee
Posts: 4686
Joined: Fri Sep 12, 2014 10:00 pm

Certificates for multiple domains

Postby jholder » Sat Mar 31, 2007 1:38 am

Search the wiki for that term.

I think you'll find your answer ;)
mrfileio
Posts: 31
Joined: Fri Sep 12, 2014 10:14 pm

Certificates for multiple domains

Postby mrfileio » Wed Apr 25, 2007 10:10 pm

So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?
This seems to be contrary to KevinH's posting here:

http://www.zimbra.com/forums/showthread.php?t=3588&highlight=certificates+multiple+domains

where he states "I think that is correct. Please file this in bugzilla, as support for multiple domains/certs is the right way to go."
I understand this may be a limitation of the underlying software, e.g. tomcat, but I just want to be certain that if a hosting provider wanted to offer Zimbra to business A at https: //acme.com and business B at https: //bingo.com using the same Zimbra instance, this is currently not possible.
htin
Posts: 16
Joined: Fri Sep 12, 2014 10:27 pm

Certificates for multiple domains

Postby htin » Thu Apr 26, 2007 10:24 am

Even in one domain with one cert, I still can’t change the data of ‘/C= /O= /OU=’ to my own as my previous post in this thread. Still using default as ‘zimbra’, not ‘myorg’. Anyone has changed successfully? Please help!
Hk

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests