Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Zimbra 8 is a email and collaboration software much like Exchange. Using standard zimbra tools to make certificate request you get automatically your server name as the subject, no matter what you place on the command line. In order to use service name as we do I had to do it with OpenSSL which was very straightforward.

Here are the steps how to do it

  • make a certificate signing request and a server key
    • RapidSSL supports only key sizes of 2048 and more
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr
  • Submit this application to RapidSSL form and check that your subject is the DNS name you really use
    • Prepare a working email address to use with your certs
    • Prepare your phone for use with RapidSSL phone confirmation
    • Remember to click the confirmation link in the email you receive
  • Copy - paste the certificate from the end of the email you receive from RapidSSL to a file server.crt, same directory as previous server.key and .csr
  • Ignore the intermediate CA you receive from your email. Get the Geotrust root certificate and RapidSSL CA bundle:
wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer
wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
  • Combine the to into a single ca_bundle.crt file
  • Verify that the certificate works with the bundle
  • Make a backup of your Zibra commercial certificates
  • Place the new certificates in the right place
  • Add a line break after —–END CERTIFICATE—– to the files
cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > ca_bundle.crt
openssl verify -CAfile ca_bundle.crt server.crt
cp -a /opt/zimbra/ssl/zimbra/commercial /some/backup/dir
cp server.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp server.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp ca_bundle.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
  • Install the certs to Zimbra with zmcertmgr
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
  • Restart Zimbra
su - zimbra
zmcontrol restart
  • Do a final checkup, use appropriate port
openssl s_client -connect yourmailserver:443 -text

That's all folks!

 stars  from 0 votes

Leave a comment

Enter your comment:
T M S J V
 

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line