All I could find about Gandi SSL certificates and Zimbra was an archived wiki article from Zimbra 5/6, so I thought I'd post the process here for others who want to use Gandi.net.
Gandi uses Comodo upstream, so you need to go through the process of building your own certificate chain. I also wanted to be able to rollback in case it didn't work, so that impacted how I generated the CSR. At the end of the day, it all worked, so I thought I'd document the abbreviated process here.
Two common "gotchas" in my experience are first that many system admins don't realize that creating a CSR alters the private key file, and second, that the order in which all the other root and intermediate certs are bundled is very important, and perhaps not so intuitive. So I tried to highlight these in the steps below.
Hope that helps,
Mark
Gandi.net Zimbra SSL Certificate Installation Notes
CREATE THE CSR:
1. As the Zimbra user:
Code: Select all
cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp
cd /tmp
openssl req -new -newkey rsa:2048 -nodes -keyout commercial.key -out yourserver.csr
(Follow the prompts; hit "Enter" when asked for a password)
3. Copy the /tmp/commercial.key file someplace safe (it's different now than the original!)
GET READY FOR THE INSTALLATION:
1. Download the issued SSL certificate and Gandi's intermediate bundle from Gandi
2. Download the Comodo Root and Intermediary bundle from:
https://support.comodo.com/index.php?/c ... tion-sha-2
FILES INVENTORY:
commercial.key - Private key file from /tmp/commercial.key - after the CSR creation -
>>>> must be copied to /opt/zimbra/ssl/zimbra/commercial/commercial.key after moving aside the existing commercial.key file.
_.missioncriticalemail.com.crt - The SSL Wildcard certificate
GandiStandardSSLCA2.pem - Gandi's Intermediate CA
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle - Comodo's Root and Intermediates
INSTALLATION:
1. Copy commercial.key as above, ensuring ownership and permissions match the old commercial.key file you set aside to make room for this one.
2. As the Zimbra user, create the files:
Code: Select all
touch /tmp/commercial.crt
touch /tmp/commercial_ca.crt
4. As the Zimbra user, populate the /tmp/commercial_ca.crt file:
Code: Select all
-----BEGIN CERTIFICATE-----
Insert Contents of GandiStandardSLLCA2.pem (contains two certificates)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Insert Contents of comodo-rsa-domain-validation-sha-2-w-root.ca-bundle (contains three certificates)
-----END CERTIFICATE-----
Code: Select all
~/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt
6. If all is good, As the Zimbra user, install:
Code: Select all
~/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
Code: Select all
zmcontrol restart