Dear Team,
I use Zimbra 8.8.15 and for some reason, the webmail can't validate my S/Mime certificate issued by Actalis Client Authentication CA G3.
The certificate is correct, Outlook, Thunderbird, etc. can validate it without a hassle.
Should I update a java truststore somewhere?
The server OS is CentOS7, the Zimbra packages are the latest from the RPM repo.
Have you seen anything similar
S/Mime trust issues
- andras0602
- Advanced member
- Posts: 62
- Joined: Sat May 21, 2022 3:11 pm
- ZCS/ZD Version: 8.8.15
- andras0602
- Advanced member
- Posts: 62
- Joined: Sat May 21, 2022 3:11 pm
- ZCS/ZD Version: 8.8.15
Re: S/Mime trust issues
I could fix it Eventually figured out my latest, zimbra-openjdk-cacerts-1.0.8-1zimbra8.7b1.el7.x86_64 package just lacks a bunch of CA certificates.
First, I imported the Actalis root ca like:
But it didn't help.
Then I imported the subordinate CA certificate https://www.actalis.it/documenti-it/act ... ncag3.aspx like:
And it works
I know, it's a nightmare to get into official java keystores, but a newer, better one at least for Zimbra would be great.
First, I imported the Actalis root ca like:
Code: Select all
[zimbra@mail ~]$ zmcertmgr addcacert /some/path/Actalis_Server_Authentication_RootCA.crt
** Importing cert '/some/path/Actalis_Server_Authentication_RootCA.crt' as 'zcs-user-Actalis_Server_Authentication_RootCA' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
[zimbra@mail ~]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.
Then I imported the subordinate CA certificate https://www.actalis.it/documenti-it/act ... ncag3.aspx like:
Code: Select all
[zimbra@mail ~]$ zmcertmgr addcacert /some/path/ActalisClientAuthenticationCAG3.cer
** Importing cert '/some/path/ActalisClientAuthenticationCAG3.cer' as 'zcs-user-ActalisClientAuthenticationCAG3' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
[zimbra@mail ~]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.
I know, it's a nightmare to get into official java keystores, but a newer, better one at least for Zimbra would be great.