Get Zimbra Desktop free email and collaboration client
Zimbra Instructions for Recreating a Self-Signed SSL Certificate Zimbra Instructions for Recreating a Self-Signed SSL Certificate

This article contains information for both ZCS 5.0.x. Please read all instructions with particular attention to version specific sections and notes before attempting to recreate a self-signed SSL certificate. If you are using ZCS 5.0, it is recommended that you first try using the Administration Console Certificates tool, discussed further in the Administration_Console_and_CLI_Certificate_Tools Article. This tool simplifies and speeds the process of recreating a self-signed SSL certificate.

 

 

Back up existing certificates

  • This backs up the default certificates created by zmcreateca and zmcreatecert:
 tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
  • This backs up the server's working certificate files:
 tar cf /tmp/zimbra-certs.tar
 /opt/zimbra/conf/ca/ \
 /opt/zimbra/conf/*.crt \
 /opt/zimbra/conf/*.key \
 /opt/zimbra/conf/*.pem \
 /opt/zimbra/tomcat/conf/keystore \
 /opt/zimbra/java/jre/lib/security/cacerts

 

 

Delete and re-create SSL Directory (as root)

 su - rm -rf /opt/zimbra/ssl mkdir /opt/zimbra/ssl chown zimbra:zimbra /opt/zimbra/ssl

Remove the self-signed root certificate from the cacerts keystore (as zimbra)

  • Linux
 keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Delete the server cert from the mailboxd keystore (as zimbra)

 

 su - zimbra zmlocalconfig -s -m nokey mailboxd_keystore_password
  • For ZCS 5.0+ (mailboxd/jetty)

su - zimbra keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass <mailboxd_keystore_password>

Create the CA certificate (as zimbra)

  • for 5.* (as root)
 /opt/zimbra/bin/zmcertmgr createca -new

Install server ca files

  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra, 4.*):

cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem

  • 5.* (as root)

/opt/zimbra/bin/zmcertmgr deployca -localonly

Create the server certificate (as root)

/opt/zimbra/bin/zmcertmgr createcsr self -new -subject "/C=IT/ST=FI/L=Firenze/\
O=Extranet srl/OU=ZCS/CN=mail.zimbramail.pro" -subjectAltNames \
"mail.zimbramail.pro,mail.atotoscanasud.it,mail.residenzarondinelli.it, \
mail.sitingegneria.it,mail.rentflorenceapartment.it,mail.baldinicambi.it"

 

/opt/zimbra/bin/zmcertmgr viewcsr self

 

/opt/zimbra/bin/zmcertmgr createcrt self -new -days 365 -subject\
 "/C=IT/ST=FI/L=Firenze/O=Extranet srl/OU=ZCS/CN=mail.zimbramail.pro" -subjectAltNames \
"mail.zimbramail.pro,mail.atotoscanasud.it,mail.residenzarondinelli.it, \
mail.sitingegneria.it,mail.rentflorenceapartment.it,mail.baldinicambi.it"

 

Install the server certificate files (as root)

/opt/zimbra/bin/zmcertmgr deploycrt self

 /opt/zimbra/bin/zmcertmgr viewdeployedcrt

 

 

 
italiano (Italia) English (United States)
Web Content Search Web Content Search