Install a Zimbra certificate
You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.
1- Retrieve your certificate(s) on your server
In the delivery email you'll find several links. Click on them and download the associated files:
(From the status page of your certificate in your TBS customer area, click on the "View the certificate" button)
- A: your server certificate (.cer or .crt file): name it commercial.crt
- B: the certification chain (.txt file): name it commercial_ca.crt
NOTA : You will need to add the self-signed root certificate to the commercial_ca.crt file
You can download the root from your certificate status page, button See the certificate then following the link See the root certificate.
Save these files in a temporary repertory /tmp/
Under linux, to add the root certificate, you can concatenate the two files:
cat chain-1234567890-123456.txt rootCert-1234567890-123456.cer > commercial_ca.crt
2- Verification of the certificate and the certification chain
Please note : for Zimbra versions lower than 8.7, the "zmcertmgr" checker must be run as root. For all versions greater than 8.7; you have to run with the user "zimbra".
Test with the following command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt
If you get an error like this:
Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' unable to load certificate 140521322567328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: TRUSTED CERTIFICATE ERROR: Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
Or:
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper timestampsign Time Stamp signing XXXXX ERROR: Invalid Certificate:
You must manually create the commercial.crt and commercial_ca.crt files. Go to the status page of your certificate, "View certificate" button. on the pop-up that appears, copy all content:
-----------BEGIN CERTIFICATE---------- ... ... ... -----------END CERTIFICATE------------
And paste it in a commercial.crt file that you will place in the / tmp / folder
Regarding the certification chain, always from the status page of your certificate, "View the certificate" button, click on "View the certification chain". As before, copy
all of the content in a file called commercial_ca.crt which you will also place in the / tmp folder. Then click on "View root certificate" to copy the content to this same file. In the end your commercial_ca.crt file
should look like this:
subject=........ issuer=........ -----------BEGIN CERTIFICATE---------- ... Intermediate certificate 1 ... -----------END CERTIFICATE------------ subject=........ issuer=........ -----------BEGIN CERTIFICATE---------- ... Intermediate certificate 2 (if present) ... -----------END CERTIFICATE------------ -----------BEGIN CERTIFICATE---------- ... Root certificate ... -----------END CERTIFICATE------------
Check again. If the tests are good, deploy the certificate with the following command:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
Your certificate is now active everywhere. Restart the services to activate the new certificate.
Check your certificate installation with Co-Pibot
On your certificate status page, in your customer area at TBS CERTIFICATES, you will find a "Test the installation" button to test the correct installation of your of your certificate.
Security recommandations
Strong DH groups
- We recommend generating strong, and unique to your server, DH prime groupes to increase its security. So, run the following command line and place its result in a folder accessible by your server:
openssl dhparam -out dhparams.pem 2048
Add the following line to your configuration:
ssl_dhparam /chemin/vers/votre/dhparams.pem;
You need to add this line to the files /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template.
Cipher configuration
We recommend configuring your server's ciphers to increase its security.
With the Nginx Zimbra Proxy
If you use the Nginx proxy (enabled by default starting with ZCS 8.7), you can parameter your cipher list using the cli tool zmprov. You will then need to restart the service. We recommend the following configuration:
zmprov mcf zimbraReverseProxySSLCiphers '!EDH:!AECDH:!ADH:!DSS:!RC4:ECDSA:HIGH:!3DES:!NULL:!aNULL:!eNULL' zmproxyctl restart
Without the Nginz Zimbra Proxy
If you do not have the Nginx proxy enabled, you can manually exclude unsafe ciphers using the following commands:
su - zimbra zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1> zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2> zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN> zmmailboxdctl restart