How to create new CA on Zimbra 5.0 .

Posted on by

After I started my Zimbra server, I had alerte from my server. It told me about my CA was mismatch with my domain. This is example alert :

If you want to create new CA for your Zimbra server , you can follow these steps :



[aoddy@zimbra ~]# su -
[root@zimbra ~]# rm -rf /opt/zimbra/ssl
[root@zimbra ~]# mkdir /opt/zimbra/ssl
[root@zimbra ~]# chown zimbra:zimbra /opt/zimbra/ssl

Change user to zimbra account


[root@zimbra ~]# su – zimbra
[zimbra@uranus ~]$ keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
[zimbra@uranus ~]$ keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
[zimbra@uranus ~]$ zmlocalconfig -s -m nokey mailboxd_keystore_password
cz3vJBeRZ

Edit some details in file /opt/zimbra/conf/zmssl.cnf.in


countryName_default = TH
stateOrProvinceName = Bangkok
localityName = Thailand
0.organizationName = Aoddy
organizationalUnitName = Aoddy
commonName = mail.aoddy.com #(eg, your name or your server\’s hostname)
commonName_default = mail.aoddy.com

Create new CA.


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done.

Deploy new CA


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving CA in ldap…done.
** Copying CA to /opt/zimbra/conf/ca…done.

Create certificate by self


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createcsr self -new ‘/C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com’
** Generating a server csr for download self -new /C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com
subj=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.aoddy.com
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226155943
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.

Deploy new certificate .


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226160014
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing mta certificate and key…done.
** Installing slapd certificate and key…done.
** Installing proxy certificate and key…done.
** Installing CA to /opt/zimbra/conf/ca…done.

Check new certificate .


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr viewcsr self
subject=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.asterluce.com
SubjectAltName=

Perfect !! :D

Related Posts

4 thoughts on “How to create new CA on Zimbra 5.0 .

  1. After you generate a new certificate complete, you should generate .der file for your web browser, too.

    204 cd ssl/
    205 ls
    206 cd zimbra
    207 ls
    208 cd ca/
    209 ls
    210 pwd
    211 openssl x509 -in ca.pem -out ca.der -outform DER

  2. Help me!!!

    root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
    ** Copying CA to /opt/zimbra/conf/ca…done.

  4. Hello

    Thanks for your excellent post. May can you help us ?

    We use a 6.0 zimbra open source edition on a suse linux
    We need to generate new certificate and we follow your proc even if it was for 5.0.
    Everything seems good but we have the following :

    mailbox Stopped
    zmmailboxdctl is not running.

    and a zmprov give :

    [] INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
    [] INFO: Retrying request
    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)

    Have you any idea ?

    Thanks
    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">