The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 16 Oct 2011

Zimbra

Tags: , ,


If you’re getting a new commercial certificate created, then you can use the GUI tools available in the admin console to create a Certificate Signing Request (CSR) for your SSL provider, and then import the certificates that they provide.

If you’re migrating from an old server that already has a commercial certificate, then you need to migrate everything across, which can’t be done via the admin console…

The page on Zimbra’s Wiki is quite old and doesn’t seem to work with ZCS v7, this adapted version does…

  1. On your old server make a copy of the SSL folder
    • EG cp -r /opt/zimbra/ssl /home/user/sslbk
  2. Delete any back folders from within your copy so that only a zimbra folder exists
    • EG rm -rf /home/user/sslbk/zimbra.*
  3. Compress the folder into a file
    • EG tar cvzf sslbk.tgz /sslbk/
  4. Copy the file to your new server
    • EG pscp user@oldmail.domain.com:/home/user/sslbk.tgz c:tempsslbk.tgz
    • EG pscp c:tempsslbk.tgz user@newmail.domain.com:/home/user/
  5. On the new server, backup the SSL folder
    • mv /opt/zimbra/ssl/ /opt/zimbra/ssl_old
  6. Uncompress file copied from old server
    • tar -xvf /home/user/sslbk.tgz
  7. Copy the folder into place and rename
    • cp -r sslbk/ /opt/zimbra/ssl
    • mv /opt/zimbra/sslbk/ /opt/zimbra/ssl
  8. Deploy the certificate
    • EG /opt/zimbra/bin/zmcertmgr deploycrt comm /home/user/sslbk/zimbra/commercial/commercial.crt /home/user/sslbk/zimbra/commercial/commercial_ca.crt
  9. Restart Zimbra
    • su - zimbra
    • zmcontrol restart
  10. If services don’t start properly, force java to accept your certificate
    • EG /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /sslbk/zimbra/commercial/commercial.crt

Example output for final steps of procedure..

root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm /home/user/sslbk/zimbra/commercial/commercial.crt /home/user/sslbk/zimbra/commercial/commercial_ca.crt
** Verifying /home/user/sslbk/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/home/user/sslbk/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /home/user/sslbk/zimbra/commercial/commercial.crt: OK
** Copying /home/user/sslbk/zimbra/commercial/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /home/user/sslbk/zimbra/commercial/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
root@mail:~# su - zimbra
zimbra@mail:~$ zmcontrol restart
Host mail.domain.com
    Stopping zmconfigd...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
Host mail.domain.com
    Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
    Starting zmconfigd...Done.
    Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

    Starting mailbox...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.

zimbra@mail:~$ exit
logout
root@mail:~# /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /home/user/sslbk/zimbra/commercial/commercial.crt
Owner: CN=mail.domain.com, OU=Comodo EV SSL, O=Company Limited, STREET=12 Some Road, L=City, ST=City, OID.2.5.4.17=Postcode, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=London, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=1234567
Issuer: CN=Trustworthy Extended Validation Secure Server CA, O=Trustworthy Limited, L=City, ST=County, C=GB
Serial number: 3df0ce4601e0a3e0d8e4196457014ac4

...
Lots of output, removed for breivety
...

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mail.domain.com
]

Trust this certificate? [no]: yes
Certificate was added to keystore
root@mail:~# su - zimbra
zimbra@mail:~$ zmcontrol restart
Host mail.domain.com
    Stopping zmconfigd...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
Host mail.domain.com
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.
zimbra@mail:~$

1 Comment to “Move Commercial Certifcate To New Zimbra Server”

  1. Jack says:

    This was a great article, and it saved me during a disaster recovery. Thank you so much for writing this! I have a RapidSSL cert that is a pain to install under the best of circumstances, and moving the old store was far less painful.

Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.