Zimbra Creating self-signed certifiate UCSC Zimbra

Zimbra Creating self-signed certifiate
UCSC Zimbra
===========

Backup Existing Commertical Certs
———————————

# cd /opt/zimbra/ssl/zimbra/commercial/
# mkdir -p DigiCert_old
# cp commercial* ./DigiCert_old

# cd /opt/zimbra/ssl/zimbra/server
# mkdir -p Server_old
# cp server.* Server_old

# cd /opt/zimbra/bin
Creating a CA
————-

# ./zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done.

Creating Certs
————–

# ./zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423123012
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423123012
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
** Saving server config key zimbraSSLPrivateKey…failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
Deploy the certificate
———————-

#./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate…failed.
** Saving server config key zimbraSSLPrivateKey…failed.
** Installing mta certificate and key…done.
** Installing slapd certificate and key…done.
** Installing proxy certificate and key…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing CA to /opt/zimbra/conf/ca…done.
Deploy the CA
————-

# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.
Verify the certificate was deployed to all the services
——————————————————-

# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.
View the Certificate
——————–

debian-zimbra:/opt/zimbra/bin# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service proxy::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service mailboxd::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service ldap::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
==============================================================================================================
== – ZMCERTMGR Help – ==
==============================================================================================================

./zmcertmgr -help
./zmcertmgr createca [-new] [-keysize 1024] [-subject subject]
./zmcertmgr deployca
./zmcertmgr createcsr <self|comm> [-new] [-keysize 1024] [-subject subject] [-subjectAltNames “host1,host2”]
./zmcertmgr createcrt [-new] [-days validation days] [-keysize 1024] [-subject subject] [-subjectAltNames “host1,host2”]
./zmcertmgr deploycrt <self>
./zmcertmgr deploycrt <comm> [certfile] [ca_chain_file]
./zmcertmgr savecrt
./zmcertmgr viewcsr <self|comm> [csr_file]
./zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
./zmcertmgr viewstagedcrt <self|comm> [certfile]
./zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
./zmcertmgr verifycrtchain <ca_file> <certfile>
./zmcertmgr checkcrtexpiration [-days 30] [service]
./zmcertmgr addcacert <certfile>
./zmcertmgr migrate

Comments:
– Default <certfile>
self-signed /opt/zimbra/ssl/zimbra/server/server.crt
commerical /opt/zimbra/ssl/zimbra/commercial/commercial.crt
– Default <priv_key>
self-signed /opt/zimbra/ssl/zimbra/server/server.key
commercial /opt/zimbra/ssl/zimbra/commercial/commercial.key
– Default <subject>
“/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk”
– Default RSA <keysize> is 1024.
– Default <validation_days> is 365.
– Default <csr_file> is
– deploycrt self installs the certificates using self signed csr in /opt/zimbra/ssl/zimbra/server
– deploycrt comm installs the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
– verifycrt <self|comm> compares openssl md5 [priv_key] and [certfile].
– migrate moves certs/keys from ZCS installs prior to version 5.0.x
– addcacert appends an otherwise untrusted ssl certificate to the cacerts file.
This is primarily for allowance of untrusted ssl certificates in external data sources.