Friday, August 29, 2014

Zimbra 8.x - How to Install Commercial ssl Certificate

The ZCS Certificates tools are located in the Navigation pane, under Tools>Certificates. Once you have selected Certificates from this menu, the Manage Certificates tab opens in the Content pane. From here, you can view your deployed certificates or install a new certificate.

To install an existing commercial ssl certificate (i.e from RapidSSL):
Assume you already have the crt file (commercial.crt and commercial.key).

1. Download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)
Download link:http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer

2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
Download link:https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549

3. Combine root and intermediary CAs into a temporary file.
# cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt

4. Verify your commercial certificate.
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK

5. Deploy your commercial certificate.
# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK
** Copying /tmp/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

6. To finish, verify the certificate was deployed.
# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

No comments: