CSR always the same using GUI? CLI regen works OK

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

CSR always the same using GUI? CLI regen works OK

Post by Al-MacLean »

Hi,
Our server (8.6.0_GA_1242) certificate is due for renewal - our issuer (Gandi) gives a warning about needing a new CSR. I've used the Zimbra Admin Certificates GUI wizard and ticked the option for "Replace the current CSR" and have even gone so far as to manually backup then delete the commercial.key file to ensure a new key file is being created (it is).

However, using this approach the content of the CSR is always identical to the previous CSR. I went through the steps 6 times, tried changing the Digest size from SHA256 up to SHA512, but the CSR result was always the same.

The only way I've been able to force a new CSR is to use the CLI version of regeneration, following the example under the Wiki https://wiki.zimbra.com/wiki/Administra ... ertificate and adjustng the subject / domain to our values. I then copied the new CSR to the mounted remote backup so that I could pick up the file on my desktop PC... :roll:

This makes me wonder if the Admin GUI's regen method has a bug and is not passing the "-new" parameter to the command? (I don't know if that's the cause, but this seems to fit what I've seen on our system).

Has anyone else experienced this issue with the GUI tool?
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Re: CSR always the same using GUI? CLI regen works OK

Post by Al-MacLean »

I also found that I had to complete the install of the new certificate with the CLI commands as the GUI version for "install" and loading the certificates gave an error. The CLI method uses cat to combine the Root and Intermediate certificates (required for Gandi certs) - it's possible that had I used the combined cert in the GUI rather than the separate Root bundle and the Intermediary seperately the GUI may have worked, but I didn't consider testing that until afterwards - I just wanted to finish the job...
Post Reply