S/Mime trust issues

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

S/Mime trust issues

Post by andras0602 »

Dear Team,

I use Zimbra 8.8.15 and for some reason, the webmail can't validate my S/Mime certificate issued by Actalis Client Authentication CA G3.
The certificate is correct, Outlook, Thunderbird, etc. can validate it without a hassle.
Should I update a java truststore somewhere?
The server OS is CentOS7, the Zimbra packages are the latest from the RPM repo.
Have you seen anything similar :?:
smime1.png
smime1.png (17.6 KiB) Viewed 1631 times
smime2.png
smime2.png (36.18 KiB) Viewed 1631 times
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: S/Mime trust issues

Post by andras0602 »

I could fix it :!: Eventually figured out my latest, zimbra-openjdk-cacerts-1.0.8-1zimbra8.7b1.el7.x86_64 package just lacks a bunch of CA certificates.
First, I imported the Actalis root ca like:

Code: Select all

[zimbra@mail ~]$ zmcertmgr addcacert /some/path/Actalis_Server_Authentication_RootCA.crt
** Importing cert '/some/path/Actalis_Server_Authentication_RootCA.crt' as 'zcs-user-Actalis_Server_Authentication_RootCA' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
[zimbra@mail ~]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.
But it didn't help.

Then I imported the subordinate CA certificate https://www.actalis.it/documenti-it/act ... ncag3.aspx like:

Code: Select all

[zimbra@mail ~]$ zmcertmgr addcacert /some/path/ActalisClientAuthenticationCAG3.cer
** Importing cert '/some/path/ActalisClientAuthenticationCAG3.cer' as 'zcs-user-ActalisClientAuthenticationCAG3' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
[zimbra@mail ~]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.
And it works :!:
I know, it's a nightmare to get into official java keystores, but a newer, better one at least for Zimbra would be great.
Post Reply