1. Create csr and keep your key file. Copy the key file to /opt/zimbra/ssl/zimbra/commercial/commercial.key
2. Give or upload your csr file to certificate provider
3. Get certificate given by your cert provider after your csr is accepted.
4. Get the root certificate of your provider. For thawte, mine is
here
5. Get intermediate certificate. Mine is
here
6. Combine the content of the root and intermediate cert files e.g cat intermediate.crt root.crt > commercial_ca.crt and copy it to dir /opt/zimbra/ssl/zimbra/commercial
Below is the steps to verify that the certificates are ok and ready to deploy. You can skip the first step if you have already create the csr.
Single-Node Commercial Certificate
We need to take care and ask for the Certificate authority for the Root and Intermediate Keys, we will need it soon.
We will use at least 2048-bit key, is the minimum for all Certificate Authorities: 1. Begin by generating a Certificate Signing Request (CSR).
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames host.example.com
2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt).
3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)
4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
5. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
**Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK
7. Deploy your commercial certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Appending CA chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Saving server config key zimbraSSLCeretificate…done.
**Saving server config key zimbraSSLPrivateKey…done.
**Installing mta certificate and key…done.
**Installing slapd certificate and key…done.
**Installing proxy certificate and key…done.
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
**Installing CA to /opt/zimbra/conf/ca…done.
If you get error "unable to get issuer certificate, please look at the steps in the link below.
https://wiki.zimbra.com/wiki/Fix_depth_lookup:unable_to_get_issuer_certificate