Para obtener tu certificado SSL debes haber generado tu Solicitud de firma de certificados SSL (CSR, Certificate Signing Request) la cual se genera utilizando una llave privada (key) el cual se va a almacenar en tu servidor y es la que nadie puede conocer. La Entidad de certificación SSL (CA, Certificate Authority) te pedirá una solicitud de firma de certificados para completar la compra (CSR). EL CA te devolvera tu certificado, junto con su certificada Publico (CA Root) y los certificados Intermedios, que basicamente son certificados principales que autorizan al certificado Root.
Estos son:
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- my_domain_com.crt files
Nota: the root and intermediate files may have different names depends of the SSL Certificate, like PositiveSSL, etc.
- 3. Cat the CA certs to form a single CA certificate chain file
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt
- 4. Place the SSL certificate in /tmp/commercial.crt.
cp my_domain_com.crt /tmp/commercial.crt
- 5. Check that your SSL certificate, your private key and the Intermediate CA are OK, this step is important and you should not continue if you receive an error here:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/commercial.crt: OK
- 6. Deploy the commercial certificate with zmcertmgr as the root user.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/commercial.crt: OK ** Copying /tmp/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /tmp/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done. ** NOTE: mailboxd must be restarted in order to use the imported certificate. ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done.
- 7. Restart the Zimbra Services
zmcontrol restart
