How to create new CA on Zimbra 5.0 .

After I started my Zimbra server, I had alerte from my server. It told me about my CA was mismatch with my domain. This is example alert :

If you want to create new CA for your Zimbra server , you can follow these steps :


[ad#ad-post-1]


[aoddy@zimbra ~]# su –
[root@zimbra ~]# rm -rf /opt/zimbra/ssl
[root@zimbra ~]# mkdir /opt/zimbra/ssl
[root@zimbra ~]# chown zimbra:zimbra /opt/zimbra/ssl

Change user to zimbra account


[root@zimbra ~]# su – zimbra
[zimbra@uranus ~]$ keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
[zimbra@uranus ~]$ keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
[zimbra@uranus ~]$ zmlocalconfig -s -m nokey mailboxd_keystore_password
cz3vJBeRZ

Edit some details in file /opt/zimbra/conf/zmssl.cnf.in


countryName_default = TH
stateOrProvinceName = Bangkok
localityName = Thailand
0.organizationName = Aoddy
organizationalUnitName = Aoddy
commonName = mail.aoddy.com #(eg, your name or your server\’s hostname)
commonName_default = mail.aoddy.com

Create new CA.


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done.

Deploy new CA


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving CA in ldap…done.
** Copying CA to /opt/zimbra/conf/ca…done.

Create certificate by self


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createcsr self -new ‘/C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com’
** Generating a server csr for download self -new /C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com
subj=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.aoddy.com
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226155943
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.

Deploy new certificate .


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226160014
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing mta certificate and key…done.
** Installing slapd certificate and key…done.
** Installing proxy certificate and key…done.
** Installing CA to /opt/zimbra/conf/ca…done.

Check new certificate .


[root@uranus ~]# /opt/zimbra/bin/zmcertmgr viewcsr self
subject=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.asterluce.com
SubjectAltName=

Perfect !! 😀