Since I couldn’t find a straight forward tutorial for installing a RapidSSL Commerical Certificate on Zimbra 8.0, I decided to write one for reference if not anything else.
RapidSSL Commercial Certificate offer a very cost effective way to add a commercial cert to your Zimbra server.
The best way to install a RapidSSL cert is via the CLI as the root user.
1. Start by logging into your Zimbra servers CLI via SSH.
2. As root begin by generating a Certificate Signing Request (CSR). Below replace ‘mail.yourdomain.com’ with the FQDN of your Zimbra server.
/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/ST=England/L=London/O=Company Name/OU=Company Branch Name/CN=mail.yourdomain.com" -subjectAltNames mail.yourdomain.com
The above command includes the following codes:
/C = Country: The Country is a two-digit code — for the United Kingdom, it’s ‘GB’. A list of country codes is available here -
/ST = State: State is a full name, i.e. ‘California’, ‘Scotland’.
/L = Locality: Locality is a full name, i.e. ‘London’, ‘New York’.
/O = Organization: The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.
/OU = Organizational Unit: The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
/CN = Common Name: The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate. This will be the FQDN of your Zimbra server, e.g. mail.yourdomain.com or zimbra.yourdomain.com
3. Now upload/send the certificate request (Zimbra saves it to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.csr’) to your SSL provider. They will most likely provide you with your Commercial Certificate via an email in the form of text or an attached file.
4. Save your Commercial Certificate in a temporary file. If provided as plain text you can cut and paste it into a new file using
5. Download and save the root Certificate Authority (CA) for RapidSSL certificates to a temporary file. (e.g. /tmp/ca.crt). Again you can cut and paste the CA text into a new file using nano.
The root CA for RapidSSL certificates is provided by GeoTrust and can be found here – https://ssltest12.bbtest.net/
6. Download any intermediary CAs from your SSL provider, again to a temporary file. (e.g. /tmp/ca_intermediary.crt). RapidSSL certs usually come with a single intermediary certificate. Once again, if the intermediary certificate is provided as plain text cut and paste it using
7. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt
8. Verify your commercial Certificate:
# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
9. Deploy your commercial certificate
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
10. To finish, verify the certificate was deployed.
11. Restarting Zimbra services will ensure the new commercial certificate takes effect
su zimbra zmcontrol restart