Difference between revisions of "Zimbra Certificate Replace"
Jump to navigation
Jump to search
(Created page with "# Zimbra SSL Cert Replace ## Links * https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-zimbra/ * https://www.digicert.com/kb/csr-creation-ssl-installati...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =Zimbra SSL Cert Replace= | |
| − | + | ==Links== | |
* https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-zimbra/ | * https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-zimbra/ | ||
* https://www.digicert.com/kb/csr-creation-ssl-installation-zimbra.htm | * https://www.digicert.com/kb/csr-creation-ssl-installation-zimbra.htm | ||
| Line 7: | Line 7: | ||
* https://www.bitbull.ch/wiki/index.php/Openssl_Notes | * https://www.bitbull.ch/wiki/index.php/Openssl_Notes | ||
| − | + | ==Download Certificate (just valid for acme)== | |
* https://www.thesslstore.com/ | * https://www.thesslstore.com/ | ||
| − | + | * My Orders > Total Orders > "latest order with active status" > Download Certificate | |
| − | + | * Server Platform: nginx / File Type: Individual .crts (zipped) -> star_acme.com.pem file | |
| − | + | ==Backup current certificates== | |
<pre> | <pre> | ||
root@srv-pmail-01:~# backup /opt/zimbra/ssl/zimbra/commercial | root@srv-pmail-01:~# backup /opt/zimbra/ssl/zimbra/commercial | ||
| Line 22: | Line 22: | ||
</pre> | </pre> | ||
| − | + | ==Verify current Certificate== | |
<pre> | <pre> | ||
zimbra@srv-pmail-01:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm | zimbra@srv-pmail-01:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm | ||
| Line 58: | Line 58: | ||
</pre> | </pre> | ||
| − | + | ==Prepare new Certificate== | |
Create/Edit this tree files: | Create/Edit this tree files: | ||
<pre> | <pre> | ||
| Line 71: | Line 71: | ||
</pre> | </pre> | ||
| − | + | ==Verify new Certificate== | |
<pre> | <pre> | ||
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt | root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt | ||
| Line 112: | Line 112: | ||
</pre> | </pre> | ||
| − | + | ==Deploy new Certficates== | |
<pre> | <pre> | ||
| − | root@ | + | root@acme-mail-01:~# su - zimbra |
| − | zimbra@ | + | zimbra@acme-mail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/ |
| − | zimbra@ | + | zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt |
** Verifying 'commercial.crt' against 'commercial.key' | ** Verifying 'commercial.crt' against 'commercial.key' | ||
Certificate 'commercial.crt' and private key 'commercial.key' match. | Certificate 'commercial.crt' and private key 'commercial.key' match. | ||
| Line 122: | Line 122: | ||
Valid certificate chain: commercial.crt: OK | Valid certificate chain: commercial.crt: OK | ||
| − | zimbra@ | + | zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt |
[...] | [...] | ||
# watch out for any errors | # watch out for any errors | ||
| − | zimbra@ | + | zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr viewdeployedcrt |
- imapd: /opt/zimbra/conf/imapd.crt | - imapd: /opt/zimbra/conf/imapd.crt | ||
notBefore=xxx | notBefore=xxx | ||
| Line 158: | Line 158: | ||
SubjectAltName=*.acme.com | SubjectAltName=*.acme.com | ||
| − | zimbra@ | + | zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcontrol restart |
Host mail01.acme.com | Host mail01.acme.com | ||
Stopping vmware-ha...Done. | Stopping vmware-ha...Done. | ||
Latest revision as of 10:32, 12 June 2023
Contents
1 Zimbra SSL Cert Replace
1.1 Links
- https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-zimbra/
- https://www.digicert.com/kb/csr-creation-ssl-installation-zimbra.htm
- https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
- https://www.bitbull.ch/wiki/index.php/Openssl_Notes
1.2 Download Certificate (just valid for acme)
- https://www.thesslstore.com/
- My Orders > Total Orders > "latest order with active status" > Download Certificate
- Server Platform: nginx / File Type: Individual .crts (zipped) -> star_acme.com.pem file
1.3 Backup current certificates
root@srv-pmail-01:~# backup /opt/zimbra/ssl/zimbra/commercial '/opt/zimbra/ssl/zimbra/commercial' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657' '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial_ca.crt' '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.crt' '/opt/zimbra/ssl/zimbra/commercial/commercial.key' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.key' '/opt/zimbra/ssl/zimbra/commercial/commercial.csr' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.csr'
1.4 Verify current Certificate
zimbra@srv-pmail-01:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ openssl verify -CAfile /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ cd /tmp
zimbra@srv-pmail-01:/tmp$ wget https://raw.githubusercontent.com/joe-speedboat/linux.scripts/master/shell/openssl_check_cert_chain.sh
zimbra@srv-pmail-01:/tmp$ bash openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial.crt
0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:66:55:44:33:22:11:77:66:55:44:33:22:11:11:11
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
Validity
Not Before: YYY
Not After: ZZZ
1.5 Prepare new Certificate
Create/Edit this tree files:
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt # ca chain without server certificate /opt/zimbra/ssl/zimbra/commercial/commercial.crt # server certificate (note that old certs above hat ca included, which is wrong but no show stopper) /opt/zimbra/ssl/zimbra/commercial/commercial.key # private key
1.6 Verify new Certificate
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
0: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
1: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt: OK
root@srv-pmail-01:~# cat /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt > /tmp/tmp.crt
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /tmp/tmp.crt
0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/tmp/tmp.crt: OK
root@srv-pmail-01:~# openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
Validity
Not Before: YYY
Not After: ZZZ
root@srv-pmail-01:~# su - zimbra
zimbra@srv-pmail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@srv-pmail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
1.7 Deploy new Certficates
root@acme-mail-01:~# su - zimbra
zimbra@acme-mail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
[...]
# watch out for any errors
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcontrol restart
Host mail01.acme.com
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host mail01.acme.com
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting convertd...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
