centOS, Linux, Zimbra

Thawte SSL123 Certificate in Zimbra 7.1.4 OSE

Generate CSR Certificate.

[root@mail ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=ID/ST=Jabar/L=Bandung/O=rgiapratama/OU=GIA/CN=mail.rgiapratama.net" -subjectAltNames "mail.rgiapratama.net"
** Generating a server csr for download comm -new -keysize 2048 -subject /C=ID/ST=Jabar/L=Bandung/O=rgiapratama/OU=GIA/CN=mail.rgiapratama.net -subjectAltNames mail.rgiapratama.net
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20120502214856
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.

Submit commercial.csr to Thawte, after approval process and you get commercial.crt, download Premium Server CA, Primary Intermediate CA and Secondary Intermediate CA.
Make sure you add blank line after the “—–END CERTIFICATE—–” line, or you will get Failed to create jetty.pkcs12 error when deploy Commercial CRT (http://wiki.zimbra.com/wiki/Failed_to_create_jetty.pkcs12)

And after that combine Premium Server CA, Primary Intermediate CA and Secondary Intermediate CA.

[gia@mail ~]$ wget https://www.thawte.com/roots/thawte_Premium_Server_CA.pem
[gia@mail ~]$ wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_PrimaryCA.pem
[gia@mail ~]$ wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_SecondaryCA.pem
[gia@mail ~]$ cat thawte_Premium_Server_CA.pem SSL_PrimaryCA.pem SSL_SecondaryCA.pem > ca_chain.crt

Verify Commercial Certificate (commercial.crt)

root@mail gia]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /home/gia/commercial.crt
** Verifying /home/gia/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/home/gia/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /home/gia/commercial.crt: OK

Deploy Commercial Certificate

[root@mail gia]# /opt/zimbra/bin/zmcertmgr deploycrt comm /home/gia/commercial.crt /home/gia/ca_chain.crt
** Verifying /home/gia/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/home/gia/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /home/gia/commercial.crt: OK
** Copying /home/gia/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /home/gia/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

View deployed certificate

[root@mail gia]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service proxy::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service mailboxd::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=
::service ldap::
notBefore=May  4 00:00:00 2012 GMT
notAfter=Jun  3 23:59:59 2014 GMT
subject= /O=mail.rgiapratama.net/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.rgiapratama.net
issuer= /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
SubjectAltName=

Restart Zimbra and Install commercial certificate

[root@mail gia]# su - zimbra -c "zmcontrol stop"
Host mail.rgiapratama.net
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
[root@mail gia]# /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial.crt to CACERTS as zcs-user-commercial...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
[root@mail gia]# su - zimbra -c "zmcontrol start”
Host mail.rgiapratama.net
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting antivirus...Done.
Starting cbpolicyd...Done.
Starting snmp...Done.
Starting mta...Done.
Starting stats...Done.

Reference :
http://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#ZCS_Administration_Console_Certificates_Tools
https://search.thawte.com/support/ssl-digital-certificates/index.html

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.