CentOS 7.x Install SSL certificate in Zimbra
From Notes_Wiki
<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>
CentOS 7.x Install SSL certificate in Zimbra
To Install SSL certificate in Zimbra use following steps:
- Login into admin console
- Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
- Generate a CSR for sending to certificate authority for signing. Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key. Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user:
- /opt/zimbra/bin/zmcertmgr createca -new
- /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
- /opt/zimbra/bin/zmcertmgr deploycrt self
- /opt/zimbra/bin/zmcertmgr deployca
- /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- su -c "zmcontrol restart" - zimbra
- Use Getting certificates signed by recognized CA or Using namecheap wildcard SSL certificates for HTTPS for purchasing certificate and getting them signed from a recognized CA
- After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using:
- cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
-
- This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate. Refer Openssl for different types of certificates and for converting from one form to another
- After this verify certificate is proper using:
- /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
- If verification succeeds then install CA using:
- /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
-
- Note that installation does not requires path to private key
- Look at deployed certificate
- /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- Restart Zimbra for changes to take effect
- su -c "zmcontrol restart" - zimbra
Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line. Hence use command-line for installing Zimbra SSL certificate.
Example terminal I/O of certificate installation:
#Need to run certificate command as root user [root@mail ~]# su - zimbra [zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem /opt/zimbra/bin/zmcertmgr must be run as user root [zimbra@mail ~]$ exit logout #Need to combine intermediate and root CA using cat [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com error 20 at 0 depth lookup:unable to get local issuer certificate [root@mail ~]# cat /tmp/*.{pem,crt} DigiCert_Global_Root_CA.pem inter.crt web.crt [root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/web.crt: OK ##Wrong set of arguments in next command [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key unable to load certificate 139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair. XXXXX ERROR: provided cert isn't valid. #Correct command [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/web.crt: OK ** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done. ** NOTE: mailboxd must be restarted in order to use the imported certificate. ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done. [root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt ::service mta:: ...redacted... ::service proxy:: ...redacted... ::service mailboxd:: ...redacted... ::service ldap:: ...redacted... [root@mail ~]# su - zimbra [zimbra@mail ~]$ zmcontrol restart Host example.com Stopping vmware-ha...skipped. /opt/zimbra/bin/zmhactl missing or not executable. Stopping zmconfigd...Done. Stopping zimlet webapp...Done. Stopping zimbraAdmin webapp...Done. Stopping zimbra webapp...Done. Stopping service webapp...Done. Stopping stats...Done. Stopping mta...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping opendkim...Done. Stopping amavis...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping proxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping logger...Done. Stopping dnscache...Done. Stopping ldap...Done. Host example.com Starting ldap...Done. Starting zmconfigd...Done. Starting dnscache...Done. Starting logger...Done. Starting mailbox...Done. Starting memcached...Done. Starting proxy...Done. Starting amavis...Done. Starting antispam...Done. Starting antivirus...Done. Starting opendkim...Done. Starting snmp...Done. Starting spell...Done. Starting mta...Done. Starting stats...Done. Starting service webapp...Done. Starting zimbra webapp...Done. Starting zimbraAdmin webapp...Done. Starting zimlet webapp...Done. [zimbra@mail ~]$
Refer: