ZCS and Self issued certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
masterx81
Posts: 13
Joined: Sat Sep 13, 2014 3:25 am

ZCS and Self issued certificate

Post by masterx81 »

Hi!
I'm using an old ZCS 6. I'm migrating it to a newer version but it take time...
I'm trying to implement SSL/TLS on imap and smtp connections on the current system, so i've issued a new certificate (with wildcard *.domain.com) via the admin web console.
I've installed the certificate in the Trusted Root Certification Authorities Certificate Store at the clients, but i still get an error when outlook connects to the server. Looking at the certificate is missing the issuer so that the certificate can't be verified.
How i can fix this? I need to creade a self signed certificate with correct issuer and deploy it to the clients?
Really thanks!
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: ZCS and Self issued certificate

Post by zimico »

Hi. Outlook does not accept self signed cert. You have to use a commercial one.
Regards.
masterx81
Posts: 13
Joined: Sat Sep 13, 2014 3:25 am

Re: ZCS and Self issued certificate

Post by masterx81 »

The error that i get is "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider". In windows normally you can fix this installing the root certificate of the server in the local Trusted Root Certification Authorities Certificate Store, so that the certificate can be trusted. If i open the certificate i get a warning about missing the issuer.
there isn't a way to fix this using simply self signed? The root certificate is easly deployed by GPO....
Really thanks for the help...
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: ZCS and Self issued certificate

Post by zimico »

You can search this forum about this issue. You can install root cert on windows for old outlook version. However, from outlook 2010, as i remember, you have to use "commercial" one (and letsencrypt, etc).
Regards.
masterx81
Posts: 13
Joined: Sat Sep 13, 2014 3:25 am

Re: ZCS and Self issued certificate

Post by masterx81 »

Hi!
I've exported the root certificate with:
openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -outform DER -out ca.der
Installed in the trusetd root store, and the warning message is gone away.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: ZCS and Self issued certificate

Post by zimico »

Thank you. I test in my system and it's OK. It's nice to know that now I can import the cert and both outlook and browser are "green" :)
Regards,
Post Reply