Monday, May 28, 2012

creat new cert in zimbra 6

As root:
mkdir -p /root/backup/ssl/zimbra
mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra
cd /opt/zimbra/bin/
zmcertmgr createca -new
zmcertmgr createcrt -new -days 365
zmcertmgr deploycrt self
zmcertmgr deployca
zmcertmgr viewdeployedcrt

I really hope this works for you.

*********************************

ZCS Certificate CLI

The ZCS Certificate CLI commands for 7.0.x, 6.0.x and 5.0.x differ from 4.5.x. The following sections discuss the CLI tools for each version.

ZCS 7.0.x, 6.0.x, and 5.0.x

zmcertmgr

This command allows you to manage certificates.

General Guidelines

Follow these guidelines when using this command.
  • This tool must be run as root
Commercial Certificate Guidelines
Follow these guidelines when using this command to generate a commercial certificate.
  • The private key must exist in the /opt/zimbra/ssl/zimbra/commercial directory, and must be named commercial.key with its permission set to 740
  • The server certificate and the chain certificate files must exist in a temp directory. (E.g. /root/certs/)
  • The chain certificate files must be concatenated into one file called commercial_ca.crt

Syntax

zmcertmgr [options]

Description


Name Description
General Options
-help Displays usage options for zmcertmgr
Self-Signed Certificate Options
createca [-new] Generates a Certificate Authority (CA). The -new option forces the generation of a new CA.
deployca Deploys a CA.
createcsr <self|comm> [-new] [-subject subject] [-subjectAltNames "host1,host2"] Creates a certificate signing request (CSR) for either a self or commercially signed certificate authority. The -new option forces the generation of a new CSR. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames option allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
createcrt [-new] [-days validation days] [-subject subject] [-subjectAltNames "host1,host2"] Creates a self-signed certificate based on the CSR generated using createcsr. The -new option forces the generation of a new certificate. The -days option assigns a number of days for which the certificate is valid. The -subject option allows you to specify the path in which the certificate is valid. The -subjectAltNames allows you to specify additional hosts that may use the certificate other than the one listed in the subject. The default subject is "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}".
deploycrt <self> Deploys a self-signed certificate.
Self-Signed and Commercial Certificate Options
deploycrt <comm> [certfile] [ca_chain_file] Deploys a commercial certificate. Specify the certificate file and the certificate authority (CA) chain file.
savecrt Saves a certificate
viewcsr <self|comm> [csr_file] Shows a certificate signing request (CSR). Specify self if the CSR is self-signed. Specify comm if the certificate is commercial. Specify the CSR file to view.
viewdeployedcrt [all|ldap|mta|proxy|mailboxd] Shows a deployed certificate. This option only works for the local server.
viewstagedcrt <self|comm> [certfile] Shows a staged certificate. A staged certificate is placed in a staging file, where all files that will be deployed with the certificate are kept. You can use the staging area to verify that you are ready to deploy a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate file to view.
verifycrt <self|comm> [priv_key] [certfile] Verifies a certificate. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.
verifycrtchain <ca_file> <certfile> Verifies a certificate chain. Specify self if the certificate is self-signed. Specify comm if the certificate is commercial. Specify the certificate key. Specify the certificate file.

Examples

The following are examples of using the above options for different installation scenarios.
Single-Node Self-Signed Certificate
1. Begin by generating a new Certificate Authority (CA). 
 /opt/zimbra/bin/zmcertmgr createca -new
2. Then generate a certificate signed by the CA that expires in 365 days. 
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
3. Next deploy the certificate. 
 /opt/zimbra/bin/zmcertmgr deploycrt self
4. Next deploy the CA. 
 /opt/zimbra/bin/zmcertmgr deployca
5. To finish, verify the certificate was deployed to all the services. 
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Multi-Node Self-Signed Certificate
1. Begin by generating a new Certificate Authority (CA). 
 /opt/zimbra/bin/zmcertmgr createca -new
2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames. 
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"
3. Next, deploy the certificate to all nodes in the deployment. 
 /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
4. To finish, verify the certificate was deployed. 
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Note: The option viewdeployedcrt only works for the local server.
Single-Node Commercial Certificate
1. Begin by generating a Certificate Signing Request (CSR). 
 /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" -subjectAltNames host.example.com
2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt).
3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)
4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
5. Combine root and intermediary CAs into a temporary file. 
 cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate. 
 /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
 **Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmp/commercial.crt: OK
7. Deploy your commercial certificate. 
 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
 ** Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmpt/commercial.crt: OK
 **Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Appending ca chain /tmp/ca_chain.crt to
 /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Saving server config key zimbraSSLCeretificate…done.
 **Saving server config key zimbraSSLPrivateKey…done.
 **Installing mta certificate and key…done.
 **Installing slapd certificate and key…done.
 **Installing proxy certificate and key…done.
 **Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
 **Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
 **Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed. 
 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)