How to create new CA on Zimbra 5.0 .
After I started my Zimbra server, I had alerte from my server. It told me about my CA was mismatch with my domain. This is example alert :
If you want to create new CA for your Zimbra server , you can follow these steps :
[aoddy@zimbra ~]# su - [root@zimbra ~]# rm -rf /opt/zimbra/ssl [root@zimbra ~]# mkdir /opt/zimbra/ssl [root@zimbra ~]# chown zimbra:zimbra /opt/zimbra/ssl |
Change user to zimbra account
[root@zimbra ~]# su – zimbra [zimbra@uranus ~]$ keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit [zimbra@uranus ~]$ keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect [zimbra@uranus ~]$ zmlocalconfig -s -m nokey mailboxd_keystore_password cz3vJBeRZ |
Edit some details in file /opt/zimbra/conf/zmssl.cnf.in
countryName_default = TH stateOrProvinceName = Bangkok localityName = Thailand 0.organizationName = Aoddy organizationalUnitName = Aoddy commonName = mail.aoddy.com #(eg, your name or your server\’s hostname) commonName_default = mail.aoddy.com |
Create new CA.
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createca -new ** Creating directory /opt/zimbra/ssl/zimbra ** Creating directory /opt/zimbra/ssl/zimbra/ca ** Creating directory /opt/zimbra/ssl/zimbra/server ** Creating directory /opt/zimbra/ssl/zimbra/commercial ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done. ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done. |
Deploy new CA
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deployca ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done. ** Saving CA in ldap…done. ** Copying CA to /opt/zimbra/conf/ca…done. |
Create certificate by self
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createcsr self -new ‘/C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com’ ** Generating a server csr for download self -new /C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com subj=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.aoddy.com ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226155943 ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done. |
Deploy new certificate .
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -new ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226160014 ** Creating /opt/zimbra/conf/zmssl.cnf…done ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done. ** Installing mta certificate and key…done. ** Installing slapd certificate and key…done. ** Installing proxy certificate and key…done. ** Installing CA to /opt/zimbra/conf/ca…done. |
Check new certificate .
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr viewcsr self subject=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.asterluce.com SubjectAltName= |
Perfect !! 
After you generate a new certificate complete, you should generate .der file for your web browser, too.
204 cd ssl/
205 ls
206 cd zimbra
207 ls
208 cd ca/
209 ls
210 pwd
211 openssl x509 -in ca.pem -out ca.der -outform DER
Help me!!!
root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.
Like TLS init def ctx failed: -1 you can see at http://www.zimbra.com/forums/administrators/23369-huge-problem-after-upgrade-tls-init-def-ctx-failed-1-a.html#post112782