Installing a GoDaddy certificate on Zimbra
In January we had to request and install a new certificate for our encrypted services.
While this worked out well for our Apache and nginx proxies installing the certificate on Zimbra turned out to be quite painful.
The instructions for Installing a GoDaddy cert in zimbra wiki did not work for us.
Tomcat did not start up after we applied our new keystore.
Here is what worked out for us. Hopefully this will help others:
1) Fresh Keystore
If you don’t have a keystore file yet or want to be sure there is nothing useless or bad in it create a virgin keystore file. This is explained in more detail in the zimbra wiki
The pkcs12 file will be used to create a keystore:
# openssl pkcs12 -inkey <your-ssl-key.key> -in <your-ssl-cert.crt> -export -out out.pkcs12
get jetty to create the keystore file from the pkcs12 (jetty download link in zimbra wiki):
java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import out.pkcs12 keystore.fresh
The alias created initially named ‘1′ can be deleted:
sudo /opt/zimbra/java/bin/keytool -delete -alias 1 -keystore keystore.fresh
2) Create combined certificate
Create a pkcs7 file that contains the _complete_ certificate chain.
Note: Make sure that each cert ends with a newline!
# cat <your-ssl-cert.crt> gd_intermediate.crt gd_cross_intermediate.crt > all.crt
3) Import the certificate
Import the cert into the new keystore. Note the ‘tomcat’ alias is all that’s needed:
# keytool -import -alias tomcat -keystore keystore.fresh -trustcacerts -file all.crt
4) Install the keystore
Move the keystore to /opt/zimbra/tomcat/conf/keystore
and restart tomcat:
/opt/zimbra/bin/tomcat restart
Leave a Reply