Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):
- Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
- Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
- Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
- ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
- A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’
I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.
- Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
- Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
- Place server certificate in /tmp/ssl.crt.
- Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
- Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
- Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start
If you’re ever in Birmingham, I’ll buy you a hot dog. Worked like a champ with a GoDaddy cert on Zimbra 6.0.15_GA/CentOS 5.8
It was that time of the year again so I lookup this post. I never actually saw your reply. So, a belated thanks 🙂
And BTW, it works on version 8 of Zimbra as well.
Based on Zimbra documentation, any type of SSL type from any of the vendor such as Verisign, Geotrust and Comodo will be supported.