Page 1 of 1

CSR without SAN

Posted: Tue Dec 22, 2020 1:08 pm
by glenndm

Finally, I've bought a wildcard ssl for zimbra to resolve the issues with mobile apple devices.
But, as feared, I quickly ran into trouble with it.

I choose "Comodo Positive Wildcard SSL" via SSL2buy provider - because all those ssl things look alike to me and this was one of the cheaper ones.
Wildcard because the mail, web and application server are on different hosts.
The mail server is a local server.

For the configuration I followed Other guides show similar instructions.

I got stuck at the CSR validation, where the site complains that "CSR with SAN is not allowed"
I recreate the csr via zimbra adminpage making sure the SAN was removed.
the error stayed the same.
I tried some iterations with the common name, to no avail.
20201222.1.jpg (187.73 KiB) Viewed 996 times

20201222.2.jpg (67.26 KiB) Viewed 996 times

zimbra: Zimbra 8.8.15_GA_3847 (build 20190823100304)
zimbra server:
intended certifcate for: *

A similar issue was raised here on the forum, but without solution.
I rather not mess with commandline unless I'm sure I won't break zimbra.

Suggestions are very welcome to overcome my fear of certificates :)

Re: CSR without SAN

Posted: Tue Dec 22, 2020 1:50 pm
by L. Mark Stone
You can generate the CSR from the command line using the steps in the wiki: ... cate_Tools

Hope that helps,

Re: CSR without SAN

Posted: Tue Dec 22, 2020 3:12 pm
by glenndm
I've entered following command

Code: Select all

zmcertmgr createcsr comm -new -subject "/C=BE/L=R..../O=V./OU=V...../CN=*" -subjectAltNames "*" -noDefaultSubjectAltName

Code: Select all

** Generating a server CSR of type 'comm' for download
** Recreating /opt/zimbra/conf/zmssl.cnf
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20201222152520
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... ok
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer

that csr was accepted at the SSL config page and eventually I received certificates
I will see tomorrow if the zimbra server accepts them and finally hopefully then the iphones too.


Re: CSR without SAN

Posted: Tue Dec 22, 2020 3:46 pm
by L. Mark Stone
Sounds like progress!

I would do the certificate verification and installation from the commandline as well, using the examples in the wiki.

All the best,

Re: CSR without SAN

Posted: Wed Dec 23, 2020 2:44 pm
by Klug
You can use your wildcard without a CSR.
But you have to go through CLI to set it up, the admin WebUI is not very helpfull for pre-existing certs.