Zimbra Collaboration Suite (ZCS) is a free, open source Email and Collaboration server for enterprises, which includes an email server and web client components used to provide complete messaging and collaboration solutions.
You need to install SSL certificate in Zimbra collaboration server for communicating with hosts over SSL/TLS. There are two ways of SSL certificate installation on Zimbra server:
i) Administration Console (Web Interface)
ii) Certificate Manager (Command Line Interface)
First of all, You will need to generate CSR (Certificate Signing Request) on your ZCS and send the CSR to issuing Certificate Authority (CA) for issuance of valid SSL certificate.
Generate CSR in Zimbra Collaboration Server via Admin Console:
Follow the instructions to generate CSR file using Zimbra Administration Console:
- Login to your Zimbra Administration Console using a browser and navigate to Home > Configure and click “Certificates” option.
- On the right Click on “settings” icon, click “Install Certificate” option.
- Now, Certificate Installation Wizard will pop up, where you can select your targeted server name for SSL certificate installation from left navigation pane, then click Next button.
- Select “Generate the CSR for the commercial certificate authorizer” option, Click Next button
- Fill details in their respective fields under Certificate Installation Wizard as shown in below screenshot and click ‘Next’ button
For Wildcard SSL certificate request, check the box “Use Wildcard Common Name”.
For Multi Domain SSL certificate request, you need to specify another Subject Alternative Names in form field indicated in picture above.
- Next, Click the Download the CSR link to save CSR file that you need to send to Certificate Authority in order to get SSL certificate.
What if you missed 6th step?
You can locate the generated CSR file under Commercial Directory (e.g. /opt/zimbra/ssl/zimbra/commercial directory/commercial.csr)
SSL Certificate Installation via Zimbra Administration Console:
Extract four certificate files or CAbundle that you received in a ZIP file via email sent from CA (Certificate Authority) includes Primary Certificate File (.crt), Root CA (ICARoot.crt), and both Intermediate CA files.
Follow the instructions to install CA signed SSL certificate files on your targeted server through Zimbra Administration Console.
- After selection of target server, click Install the commercially signed certificate option, click Next
- Select Review the CSR request from left navigation pane, click Next.
- In the left navigation pane, click Upload the Certificate option to add one by one all certificate files received from CA in their respective places, and then click Next.
- Select Install button under selection of Install the Certificate as shown in left navigation pane.
- Restart your Zimbra Collaboration server (ZCS).
Finally, you have configured SSL certificate on your ZCS Server. You can view installed certificate upon returning to Admin Console.
SSL Certificate Installation via Command Line Interface (CLI):
Run following command to generate CSR for Zimbra via Command Line Interface (CLI):
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=LosAngeles/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames host.example.com
You will find generated CSR at following location:
For SSL installation on Zimbra Collaboration Server (ZCS) via CLI, you will have to concatenate (combine) four CAbundle files received from Certificate Authority using a text editor and save file name as commercial_ca.crt.
Please note: Copy and paste all the files and the data in the sequence like the primary certificate file (your_domain_name.crt), then intermediate certificate (your CA.crt) and in the last root certificate (trustedroot.crt). Always start with the BEGIN, and END tags in the certificate content.
-----BEGIN CERTIFICATE----- (Your Intermediate certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate) -----END CERTIFICATE-----
Now, Place “commercial_ca.crt” file in following directory
Next, you will have to validate the certificate chain using below command to confirm the certificate chain on Zimbra starting ZCS 8.7 and above:
/opt/zimbra/bin/verify -CAfile commercial_ca.crt commercial.crt Valid Certificate: OK
You’ll get response OK, upon successfull certificate validation.
Now, Deploy your CA issued SSL certificate using following command:
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Restart your Zimbra Server using following command:
Finally, verify the SSL certifiate was deployed using following command: