Monday, April 23, 2012

Zimbra Creating self-signed certifiate

UCSC Zimbra
===========

Backup Existing Commertical Certs
---------------------------------

# cd /opt/zimbra/ssl/zimbra/commercial/
# mkdir -p DigiCert_old
# cp commercial* ./DigiCert_old

# cd /opt/zimbra/ssl/zimbra/server
# mkdir -p Server_old
# cp server.* Server_old

# cd /opt/zimbra/bin


Creating a CA
-------------

# ./zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

Creating Certs
--------------

# ./zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423123012
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423123012
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.


Deploy the certificate
----------------------

#./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.


Deploy the CA
-------------

# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.


Verify the certificate was deployed to all the services
-------------------------------------------------------

# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.


View the Certificate
--------------------

debian-zimbra:/opt/zimbra/bin# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service proxy::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service mailboxd::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=
::service ldap::
notBefore=Apr 23 07:00:14 2011 GMT
notAfter=Apr 22 07:00:14 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk
SubjectAltName=


==============================================================================================================
==                           - ZMCERTMGR Help -                            ==
==============================================================================================================

./zmcertmgr -help
  ./zmcertmgr createca [-new] [-keysize 1024] [-subject subject]
  ./zmcertmgr deployca
  ./zmcertmgr createcsr <self|comm> [-new] [-keysize 1024] [-subject subject] [-subjectAltNames "host1,host2"]
  ./zmcertmgr createcrt [-new] [-days validation days] [-keysize 1024] [-subject subject] [-subjectAltNames "host1,host2"]
  ./zmcertmgr deploycrt <self>
  ./zmcertmgr deploycrt <comm> [certfile] [ca_chain_file]
  ./zmcertmgr savecrt
  ./zmcertmgr viewcsr <self|comm> [csr_file]
  ./zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
  ./zmcertmgr viewstagedcrt <self|comm> [certfile]
  ./zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
  ./zmcertmgr verifycrtchain <ca_file> <certfile>
  ./zmcertmgr checkcrtexpiration [-days 30] [service]
  ./zmcertmgr addcacert <certfile>
  ./zmcertmgr migrate

Comments: 
-  Default <certfile>
     self-signed /opt/zimbra/ssl/zimbra/server/server.crt
     commerical  /opt/zimbra/ssl/zimbra/commercial/commercial.crt
-  Default <priv_key>
     self-signed /opt/zimbra/ssl/zimbra/server/server.key
     commercial  /opt/zimbra/ssl/zimbra/commercial/commercial.key
-  Default <subject>
     "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.ucsc.cmb.ac.lk"
-  Default RSA <keysize> is 1024.
-  Default <validation_days> is 365.
-  Default <csr_file> is
-  deploycrt self installs the certificates using self signed csr in /opt/zimbra/ssl/zimbra/server
-  deploycrt comm installs the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
-  verifycrt <self|comm> compares openssl md5 [priv_key] and [certfile].
-  migrate moves certs/keys from ZCS installs prior to version 5.0.x
-  addcacert appends an otherwise untrusted ssl certificate to the cacerts file.
     This is primarily for allowance of untrusted ssl certificates in external data sources.

Posted by at No comments:
Subscribe to: Posts (Atom)