====== Zimbra SSL - Redirection and Commercial Certificates ======

See also **[[internet:mail:zimbra:zimbra_ssl_letsencrypt|Using LetsEncrypt SSL Certificates with Zimbra]]**

**Useful for Wildcard Certs**: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm

http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers

http://wiki.zimbra.com/wiki/SSL_certificates_per_domain

http://jamesreubenknowles.com/adding-a-godaddy-ssl-certificate-to-zimbra-7-1360

http://www.zimbra.com/forums/administrators/48461-solved-fyi-how-i-got-godaddy-ssl-certificate-installed-into-zimbra-7-a.html

===== Certificate Checker =====

https://www.digicert.com/help/

===== Force the Use of SSL =====

:!: Newer Zimbra installers default to installing the proxy component.

==== No Proxy ====

http://wiki.zimbra.com/wiki/CLI_zmtlsctl_to_set_Web_Server_Mode

This will redirect all HTTP connections to HTTPS:

<file>
su - zimbra
zmtlsctl redirect
exit
reboot
</file>

==== With Proxy ====

http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Protocol_Requirements_Including_HTTPS_Redirect

<file>
zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect

reboot
</file>

===== Commercial Certificates =====

:!: If you have problems when installing or renewing a commercial cert, try installing a self-signed cert first, then install the commercial cert.

:!: If you continue to have problems, consider using the CLI.

http://www.andrewklau.com/adding-my-own-wildcard-ssl-certificate-to-zimbra-collabration-server-8/

http://www.sononaco.com/blog/wildcard-comodo-ssl-chains-and-zimbra/

https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools

**Zimbra Admin -> Configure -> Certificates -> (gear icon) -> Install Certificates**

:!: Comodo commercial certificate example

  - Run the certificate wizard and generate a CSR
    * If renewing, you can just use the existing CSR
  - Order the SSL certificate using the CSR you just created
  - Run the certificate wizard again to install the commercial cert you purchased
    - Add a second intermediate CA certificate field if necessary
      * Click the link ''Add Intermediate CA''
    - Load the new server certificate
      * ''mail_yourdomain_com.crt''
    - Load the root CA certificate
      * ''AddTrustExternalCARoot.crt''
    - Load the first intermediate cert that came with your server certificate
      * ''COMODORSAAddTrustCA.crt''
    - Load the Second intermediate cert that came with your server certificate
      * ''COMODORSADomainValidationSecureServerCA.crt''
    - Click ''Install''

:!: If any errors are thrown, double-check that you are using the correct root and intermediate certificates.  That's usually where the problem lies.

==== Comodo ====

:!: If the GUI cert installation fails, create and install a new self-signed cert, reboot, then use the CLI to install the new cert.

https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration

**Generate the CSR** (certificate signing request and the private key) using Zimbra Admin Console (ZAC):

**ZAC -> Configure -> Certificates -> YourZimbraHostName -> Gear Icon -> Install New Certificate**

<file>
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames "name2.example.com,example.com"
</file>

**Purchase the SSL certificate** using the CSR just created.

Create the file ''commercial_ca.crt'' by concatenating the 3 files that Comodo sent to you.  CLI example:

<file>
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > commercial_ca.crt
</file>

**Install the SSL certificate**, as user ''root'':

<file>
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
</file>

===== Self-Signed Certificates =====

:!: If your self-signed cert expires, or **if you have problems when installing a commercial cert**, you can use the following script to rebuild the SSL configuration and implement a self-signed certificate.

==== Newest Quickie Renew Expired Self-Signed SSL Certificate ====

Check for expired certificates, run the following command as the ''zimbra'' user:

<file>
/opt/zimbra/libexec/zmcheckexpiredcerts -days 1 -verbose
</file>

Run the following commands run as the ''zimbra'' user to regenerate the self-signed SSL certificates:

<file>
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
</file>

==== Quickie Renew Expired Self-Signed SSL Certificate ====

Create new certificate:

<file>
su - zimbra
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 
/opt/zimbra/bin/zmcertmgr deploycrt self
zmcontrol restart
</file>

==== SSL Rebuild Script ====

<file>
##################################################
# Regenerate SSL Cert
##################################################
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
# Java version dependent?
/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/openjdk-1.8.0_172-zimbra/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`

su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'

su - zimbra -c 'zmcontrol start'

su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'

su - zimbra -c 'zmupdateauthkeys'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'
</file>