Zimbra Certificate Replace
Jump to navigation
Jump to search
Contents
1 Zimbra SSL Cert Replace
1.1 Links
- https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-zimbra/
- https://www.digicert.com/kb/csr-creation-ssl-installation-zimbra.htm
- https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
- https://www.bitbull.ch/wiki/index.php/Openssl_Notes
1.2 Download Certificate (just valid for acme)
- https://www.thesslstore.com/
- My Orders > Total Orders > "latest order with active status" > Download Certificate
- Server Platform: nginx / File Type: Individual .crts (zipped) -> star_acme.com.pem file
1.3 Backup current certificates
root@srv-pmail-01:~# backup /opt/zimbra/ssl/zimbra/commercial '/opt/zimbra/ssl/zimbra/commercial' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657' '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial_ca.crt' '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.crt' '/opt/zimbra/ssl/zimbra/commercial/commercial.key' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.key' '/opt/zimbra/ssl/zimbra/commercial/commercial.csr' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.csr'
1.4 Verify current Certificate
zimbra@srv-pmail-01:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ openssl verify -CAfile /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ cd /tmp
zimbra@srv-pmail-01:/tmp$ wget https://raw.githubusercontent.com/joe-speedboat/linux.scripts/master/shell/openssl_check_cert_chain.sh
zimbra@srv-pmail-01:/tmp$ bash openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial.crt
0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
zimbra@srv-pmail-01:/tmp$ openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:66:55:44:33:22:11:77:66:55:44:33:22:11:11:11
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
Validity
Not Before: YYY
Not After: ZZZ
1.5 Prepare new Certificate
Create/Edit this tree files:
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt # ca chain without server certificate /opt/zimbra/ssl/zimbra/commercial/commercial.crt # server certificate (note that old certs above hat ca included, which is wrong but no show stopper) /opt/zimbra/ssl/zimbra/commercial/commercial.key # private key
1.6 Verify new Certificate
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
0: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
1: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt: OK
root@srv-pmail-01:~# cat /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt > /tmp/tmp.crt
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /tmp/tmp.crt
0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/tmp/tmp.crt: OK
root@srv-pmail-01:~# openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
Validity
Not Before: YYY
Not After: ZZZ
root@srv-pmail-01:~# su - zimbra
zimbra@srv-pmail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@srv-pmail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
1.7 Deploy new Certficates
root@acme-mail-01:~# su - zimbra
zimbra@acme-mail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
[...]
# watch out for any errors
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcontrol restart
Host mail01.acme.com
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host mail01.acme.com
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting convertd...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
