How to Install SSL Certificate on Zimbra Server

Zimbra Collaboration Suite (ZCS) is a free, open-source Email and Collaboration server for enterprises, which includes an email server and web client components used to provide complete messaging and collaboration solutions.

You need to install an SSL certificate in the Zimbra collaboration server for communicating with hosts over SSL/TLS. There are two ways of SSL certificate installation on the Zimbra server:

i) Administration Console (Web Interface)
ii) Certificate Manager (Command Line Interface)

First of all, You will need to generate CSR (Certificate Signing Request) on your ZCS and send the CSR to issuing Certificate Authority (CA) for issuance of a valid SSL certificate.

Generate CSR in Zimbra Collaboration Server via Admin Console:

Follow the instructions to generate CSR file using Zimbra Administration Console:

1. Login to your Zimbra Administration Console using a browser and navigate to Home > Configure and click the “Certificates” option.

2. On the right click on the “settings” icon, click the “Install Certificate” option.

3. Now, Certificate Installation Wizard will pop up, where you can select your targeted server name for SSL certificate installation from the left navigation pane, then click the Next button.

4. Select the “Generate the CSR for the commercial certificate authorizer” option, click Next button

5. Fill details in their respective fields under Certificate Installation Wizard as shown in the below screenshot and click the ‘Next’ button

Please Note:
For Wildcard SSL certificate requests, check the box “Use Wildcard Common Name”.
For Multi Domain SSL certificate requests, you need to specify another Subject Alternative Names in the form field indicated in the picture above.

6. 6. Next, click the Download the CSR link to save the CSR file that you need to send to Certificate Authority in order to get an SSL certificate.

What if you missed the 6th step?

You can locate the generated CSR file under Commercial Directory (e.g. /opt/zimbra/ssl/zimbra/commercial directory/commercial.csr)

SSL Certificate Installation via Zimbra Administration Console:

Extract four certificate files or CAbundle that you received in a ZIP file via email sent from CA (Certificate Authority) includes Primary Certificate File (.crt), Root CA (ICARoot.crt), and both Intermediate CA files.

Follow the instructions to install CA signed SSL certificate files on your targeted server through Zimbra Administration Console.

1. After selection of target server, click Install the commercially signed certificate option, click Next

2. Select Review the CSR request from the left navigation pane, click Next.

3. In the left navigation pane, click Upload the Certificate option to add one by one all certificate files received from CA in their respective places, and then click Next.

4. Select Install button under a selection of Install the Certificate as shown in the left navigation pane.

5. Restart your Zimbra Collaboration Server (ZCS).

Finally, you have configured an SSL certificate on your ZCS Server. You can view the installed certificate upon returning to Admin Console.

SSL Certificate Installation via Command Line Interface (CLI):

Run the following command to generate CSR for Zimbra via Command Line Interface (CLI):

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=LosAngeles/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames host.example.com

You will find generated CSR at following location:

/opt/zimbra/ssl/zimbra/commercial/commercial.csr

For SSL installation on Zimbra Collaboration Server (ZCS) via CLI, you will have to concatenate (combine) four CAbundle files received from Certificate Authority using a text editor and save the file name as commercial_ca.crt.

Please note: Copy and paste all the files and the data in the sequence like the primary certificate file (your_domain_name.crt), then intermediate certificate (your CA.crt) and in the last root certificate (trustedroot.crt). Always start with the BEGIN, and END tags in the certificate content.

-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate) 
-----END CERTIFICATE----- 

Now, Place “commercial_ca.crt” file in the following directory

/opt/zimbra/ssl/zimbra/commercial/

and
Next, you will have to validate the certificate chain using below command to confirm the certificate chain on Zimbra starting ZCS 8.7 and above:

/opt/zimbra/bin/verify -CAfile commercial_ca.crt commercial.crt
Valid Certificate: OK

You’ll get a response OK, upon successful certificate validation.

Now, Deploy your CA issued SSL certificate using following command:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Restart your Zimbra Server using the following command:

zmcontrol restart

Finally, verify the SSL certificate was deployed using the following command:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Related Posts:

• How to Fix “ERR_SSL_PROTOCOL_ERROR” on Google Chrome
• NET::ERR_CERT_COMMON_NAME_INVALID IN CHROME – How to Fix?
• Steps to resolve the ‘NET ERR_CERT_AUTHORITY_INVALID’ Error in Google Chrome
• How to Install SSL certificate on Oracle WebLogic Server?
• Install SSL Certificate on Microsoft IIS 10
• How to Install an SSL Certificate on Tableau Server
• How to Install SSL Certificate on Tomcat Web Server?