CSR without SAN

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
glenndm
Advanced member
Advanced member
Posts: 111
Joined: Fri Sep 12, 2014 10:35 pm
ZCS/ZD Version: Zimbra 8.8.15_GA_3847 (build 201908

CSR without SAN

Postby glenndm » Tue Dec 22, 2020 1:08 pm

Hello,

Finally, I've bought a wildcard ssl for zimbra to resolve the issues with mobile apple devices.
But, as feared, I quickly ran into trouble with it.

I choose "Comodo Positive Wildcard SSL" via SSL2buy provider - because all those ssl things look alike to me and this was one of the cheaper ones.
Wildcard because the mail, web and application server are on different hosts.
The mail server is a local server.

For the configuration I followed https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA01N000000zFKL Other guides show similar instructions.

I got stuck at the CSR validation, where the site complains that "CSR with SAN is not allowed"
I recreate the csr via zimbra adminpage making sure the SAN was removed.
the error stayed the same.
I tried some iterations with the common name, to no avail.
20201222.1.jpg
20201222.1.jpg (187.73 KiB) Viewed 938 times

20201222.2.jpg
20201222.2.jpg (67.26 KiB) Viewed 938 times


zimbra: Zimbra 8.8.15_GA_3847 (build 20190823100304)
zimbra server: truckle.domain.com
intended certifcate for: *.domain.com

A similar issue was raised here on the forum https://forums.zimbra.org/viewtopic.php?f=15&t=60490&hilit=ssl+san+wildcard, but without solution.
I rather not mess with commandline unless I'm sure I won't break zimbra.

Suggestions are very welcome to overcome my fear of certificates :)
glenn


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2223
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: CSR without SAN

Postby L. Mark Stone » Tue Dec 22, 2020 1:50 pm

You can generate the CSR from the command line using the steps in the wiki:

https://wiki.zimbra.com/wiki/Administra ... cate_Tools

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
glenndm
Advanced member
Advanced member
Posts: 111
Joined: Fri Sep 12, 2014 10:35 pm
ZCS/ZD Version: Zimbra 8.8.15_GA_3847 (build 201908

Re: CSR without SAN

Postby glenndm » Tue Dec 22, 2020 3:12 pm

I've entered following command

Code: Select all

zmcertmgr createcsr comm -new -subject "/C=BE/L=R..../O=V./OU=V...../CN=*.domain.com" -subjectAltNames "*.domain.com" -noDefaultSubjectAltName

Code: Select all

** Generating a server CSR of type 'comm' for download
** Recreating /opt/zimbra/conf/zmssl.cnf
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20201222152520
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... ok
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer truckle.domain.com...ok


that csr was accepted at the SSL config page and eventually I received certificates
I will see tomorrow if the zimbra server accepts them and finally hopefully then the iphones too.

thanks
glenn
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2223
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: CSR without SAN

Postby L. Mark Stone » Tue Dec 22, 2020 3:46 pm

Sounds like progress!

I would do the certificate verification and installation from the commandline as well, using the examples in the wiki.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
Klug
Elite member
Elite member
Posts: 2394
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CSR without SAN

Postby Klug » Wed Dec 23, 2020 2:44 pm

You can use your wildcard without a CSR.
But you have to go through CLI to set it up, the admin WebUI is not very helpfull for pre-existing certs.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 11 guests