Cara update ssl non wildcard ke wildcard di zimbra

  • copy file /tmp/comm.tar di mail2 ke mail.abc.co.id .
  • pindah direktory /opt/zimbra/ssl/zimbra/commercial .
  • backup / pindah semua file di sini, misal di folder /opt/zimbra/ssl/zimbra/commercial/old/ .
  • ekstrak file /tmp/comm.tar hasil extract
    root@mail3://opt/zimbra/ssl/zimbra/commercial# ls -al
    total 116
    drwxr----- 3 root root  4096 Apr 30 15:22 .
    drwxr----- 5 root root  4096 Apr 30 13:04 ..
    -rwxr----- 1 root root  4211 Apr 30 15:22 ca_chain.crt
    -rwxr----- 1 root root  2714 Dec  2 10:17 ca.crt
    -rwxr----- 1 root root  1497 Dec  2 10:15 ca_intermiediary.crt
    -rwxr----- 1 root root  4211 Apr 30 15:22 commercial_ca.crt
    -rw-r--r-- 1 root root 10098 Apr 30 15:22 commercial.crt
    -rwxr----- 1 root root  1123 Dec  2 09:57 commercial.csr
    -rwxr----- 1 root root  1704 Dec  2 08:55 commercial.key
    -rw-r--r-- 1 root root 61440 Apr 30 15:20 comm.tar
    drwxr----- 2 root root  4096 Dec  2 09:57 old
    root@mail3://opt/zimbra/ssl/zimbra/commercial#
    

Ketik command berikut:

root@mail3:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/openssl/bin/openssl verify -CAfile `pwd`/ca_chain.crt `pwd`/commercial.crt
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

lalu deploy:

root@mail3:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr deploycrt comm `pwd`/commercial.crt `pwd`/ca_chain.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
** Copying /opt/zimbra/ssl/zimbra/commercial/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain /opt/zimbra/ssl/zimbra/commercial/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
root@mail3:/opt/zimbra/ssl/zimbra/commercial#

terus restart:

zmcontrol restart

hasil test ssl labs:

sslmailfinal.png

certificate information:

certinfo.png

Terlihat CN sudah memakai wildcard (*.abc.co.id)

Note:

SSL.key = commercial.key

ca_intermiediary.crt = INTERMEDIATE CA dari email

ca.crt = INTERMEDIATE CA dari email + GeoTrust_Global_CA.pem

ca_chain.crt = cat ca.crt ca_intermiediary.crt > ca_chain.crt

commercial.crt = Web Server CERTIFICATE + INTERMEDIATE CA dari email + GeoTrust_Global_CA.pem + INTERMEDIATE CA dari email