May 7th, 2012 by Gia

Generate CSR Certificate.

[[email protected] ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=ID/ST=Jabar/L=Bandung/O=rgiapratama/OU=GIA/CN=mail.rgiapratama.net" -subjectAltNames "mail.rgiapratama.net"
** Generating a server csr for download comm -new -keysize 2048 -subject /C=ID/ST=Jabar/L=Bandung/O=rgiapratama/OU=GIA/CN=mail.rgiapratama.net -subjectAltNames mail.rgiapratama.net
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120502214856
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.

Submit commercial.csr to Thawte, after approval process and you get commercial.crt, download Premium Server CA, Primary Intermediate CA and Secondary Intermediate CA.
Make sure you add blank line after the “—–END CERTIFICATE—–” line, or you will get Failed to create jetty.pkcs12 error when deploy Commercial CRT (http://wiki.zimbra.com/wiki/Failed_to_create_jetty.pkcs12)

And after that combine Premium Server CA, Primary Intermediate CA and Secondary Intermediate CA.

[[email protected] ~]$ wget https://www.thawte.com/roots/thawte_Premium_Server_CA.pem
[[email protected] ~]$ wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_PrimaryCA.pem
[[email protected] ~]$ wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_SecondaryCA.pem
[[email protected] ~]$ cat thawte_Premium_Server_CA.pem SSL_PrimaryCA.pem SSL_SecondaryCA.pem > ca_chain.crt

Verify Commercial Certificate (commercial.crt)

[email protected] gia]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /home/gia/commercial.crt
** Verifying /home/gia/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/home/gia/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /home/gia/commercial.crt: OK

Deploy Commercial Certificate

[[email protected] gia]# /opt/zimbra/bin/zmcertmgr deploycrt comm /home/gia/commercial.crt /home/gia/ca_chain.crt
** Verifying /home/gia/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/home/gia/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /home/gia/commercial.crt: OK
** Copying /home/gia/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /home/gia/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

View deployed certificate

[[email protected] gia]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service proxy::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service mailboxd::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service ldap::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=

Restart Zimbra and Install commercial certificate

[[email protected] gia]# su - zimbra -c "zmcontrol stop"
Host mail.rgiapratama.net
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
[[email protected] gia]# /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial.crt to CACERTS as zcs-user-commercial...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
[[email protected] gia]# su - zimbra -c "zmcontrol start”
Host mail.rgiapratama.net
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting antivirus...Done.
Starting cbpolicyd...Done.
Starting snmp...Done.
Starting mta...Done.
Starting stats...Done.

Reference :
http://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#ZCS_Administration_Console_Certificates_Tools
https://search.thawte.com/support/ssl-digital-certificates/index.html

Comments

comments

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.