msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

22 Apr 13 Install Geotrust certificate in Zimbra 8.x

The best way to install a RapidSSL cert is via the CLI as the root user.

Reference: (18-12-2012 @ 23:39 BST)
http://elijahpaul.co.uk/2012/12/installing-a-rapidssl-certificate-on-zimbra-8-0/#.UVjDBhlSP5g

1. Start by logging into your Zimbra servers CLI via SSH.

2. As root begin by generating a Certificate Signing Request (CSR).
Below replace ‘mail.yourdomain.com’ with the FQDN of your Zimbra server.
/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/ST=England/L=London/O=Company Name/OU=Company Branch Name/CN=mail.yourdomain.com" -subjectAltNames mail.yourdomain.com

The above command includes the following codes:
/C = Country: The Country is a two-digit code — for the United Kingdom, it’s ‘GB’. A list of country codes is available here –
/ST = State: State is a full name, i.e. ‘California’, ‘Scotland’.
/L = Locality: Locality is a full name, i.e. ‘London’, ‘New York’.
/O = Organization: The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.
/OU = Organizational Unit: The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
/CN = Common Name: The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate.
This will be the FQDN of your Zimbra server, e.g. mail.yourdomain.com or zimbra.yourdomain.com

3. Now upload/send the certificate request(CSR) to your SSL provider.
(Zimbra saves it to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.csr’)
They will most likely provide you with your Commercial Certificate via an email in the form of text or an attached file.

Note: If you already have your commercial certificate you only need to start at step 4 below.

4. Save your Commercial Certificate in a temporary file.
If provided as plain text you can cut and paste it into a new file using nano:
nano /tmp/commercial.crt

5. Download and save the root Certificate Authority (CA) for RapidSSL certificates to a temporary file. (e.g. /tmp/ca.crt).
Create the Root CA key:
The root CA for RapidSSL certificates is provided by GeoTrust and can also be found here:
https://ssltest12.bbtest.net/
Again you can cut and paste the following GeoTrust root CA text into a new file using nano.
nano /tmp/ca.crt
Content:
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

6. Download any intermediary CAs from your SSL provider, again to a temporary file.
(e.g. /tmp/ca_intermediary.crt). RapidSSL certs usually come with a single intermediary certificate.
Once again, cut and paste the follwong RapidSSL Intermediate certificate using nano:
nano /tmp/ca_intermediate.crt
Content:
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

7. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca.crt /tmp/ca_intermediate.crt > /tmp/ca_chain.crt
8. Copy your private key created and used to create your CSR file into:
/opt/zimbra/ssl/zimbra/commercial/commercial.key
9. Deploy your commercial certificate to Zimbra
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
The result should look like this:
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK
** Copying /tmp/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

10. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
11. Restarting Zimbra services will ensure the new commercial certificate takes effect
su - zimbra
zmcontrol restart

The result should look like this:
Host myhost.mydomain.com
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
Host myhost.mydomain.com
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting antispam...Done.
Starting antivirus...^@Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: