Skip to content

Installing a commercial SSL certificate in Zimbra

Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):

  • Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
  • Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
  • Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
  • ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
  • A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’

Old post:

I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.

  • Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
  • Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
  • Place server certificate in /tmp/ssl.crt.
  • Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
  • Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start

3 Comments ( Add comment / trackback )

  1. (permalink)
    Comment by Stephen M Poole
    On April 5, 2012 at 19:42

    If you’re ever in Birmingham, I’ll buy you a hot dog. Worked like a champ with a GoDaddy cert on Zimbra 6.0.15_GA/CentOS 5.8

    🙂

  2. (permalink)
    Comment by halfgaar
    On March 16, 2013 at 13:20

    It was that time of the year again so I lookup this post. I never actually saw your reply. So, a belated thanks 🙂

    And BTW, it works on version 8 of Zimbra as well.

  3. (permalink)
    Comment by thesslmart
    On July 8, 2013 at 15:52

    Based on Zimbra documentation, any type of SSL type from any of the vendor such as Verisign, Geotrust and Comodo will be supported.