Installing a GoDaddy certificate on Zimbra

In January we had to request and install a new certificate for our encrypted services.
While this worked out well for our Apache and nginx proxies installing the certificate on Zimbra turned out to be quite painful.

The instructions for Installing a GoDaddy cert in zimbra wiki did not work for us.
Tomcat did not start up after we applied our new keystore.

Here is what worked out for us. Hopefully this will help others:

1) Fresh Keystore

If you don’t have a keystore file yet or want to be sure there is nothing useless or bad in it create a virgin keystore file. This is explained in more detail in the zimbra wiki

The pkcs12 file will be used to create a keystore:

# openssl pkcs12 -inkey <your-ssl-key.key> -in <your-ssl-cert.crt> -export -out out.pkcs12

get jetty to create the keystore file from the pkcs12 (jetty download link in zimbra wiki):

java -classpath $JETTY_HOME/lib/org.mortbay.jetty.jar org.mortbay.util.PKCS12Import out.pkcs12 keystore.fresh

The alias created initially named ‘1′ can be deleted:

sudo /opt/zimbra/java/bin/keytool -delete -alias 1 -keystore keystore.fresh

2) Create combined certificate

Create a pkcs7 file that contains the _complete_ certificate chain.

Note: Make sure that each cert ends with a newline!

# cat <your-ssl-cert.crt> gd_intermediate.crt gd_cross_intermediate.crt > all.crt

3) Import the certificate

Import the cert into the new keystore. Note the ‘tomcat’ alias is all that’s needed:

# keytool -import -alias tomcat -keystore keystore.fresh -trustcacerts -file all.crt

4) Install the keystore

Move the keystore to /opt/zimbra/tomcat/conf/keystore

and restart tomcat:

/opt/zimbra/bin/tomcat restart

Kategorie: Anleitungen, Webhosting You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.