tips_and_howtos:zimbra_rapidssl

Zimbra 8 is a email and collaboration software much like Exchange. Using standard zimbra tools to make certificate request you get automatically your server name as the subject, no matter what you place on the command line. In order to use service name as we do I had to do it with OpenSSL which was very straightforward.

Here are the steps how to do it

  • make a certificate signing request and a server key
    • RapidSSL supports only key sizes of 2048 and more

      openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

  • Submit this application to RapidSSL form and check that your subject is the DNS name you really use
    • Prepare a working email address to use with your certs
    • Prepare your phone for use with RapidSSL phone confirmation
    • Remember to click the confirmation link in the email you receive
  • Copy - paste the certificate from the end of the email you receive from RapidSSL to a file server.crt, same directory as previous server.key and .csr
  • Ignore the intermediate CA you receive from your email. Get the Geotrust root certificate and RapidSSL CA bundle:

    wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

  • Combine the to into a single ca_bundle.crt file
  • Verify that the certificate works with the bundle
  • Make a backup of your Zibra commercial certificates
  • Place the new certificates in the right place
  • Add a line break after —–END CERTIFICATE—– to the files

    cat GeoTrustGlobalCA.cer RapidSSLCAbundle.pem > cabundle.crt openssl verify -CAfile cabundle.crt server.crt cp -a /opt/zimbra/ssl/zimbra/commercial /some/backup/dir cp server.key /opt/zimbra/ssl/zimbra/commercial/commercial.key cp server.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt cp cabundle.crt /opt/zimbra/ssl/zimbra/commercial/commercialca.crt

  • Install the certs to Zimbra with zmcertmgr

    /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

  • Restart Zimbra

    su - zimbra zmcontrol restart

  • Do a final checkup, use appropriate port

    openssl s_client -connect yourmailserver:443 -text
    That's all folks!

  • tips_and_howtos/zimbra_rapidssl.txt
  • Last modified: 2021/10/24 13:51
  • by 127.0.0.1