Installing a RapidSSL certificate on Zimbra 8.0

Since I couldn't find a straight forward tutorial for installing a RapidSSL (or any other) Commerical Certificate on Zimbra 8.0, I decided to write one for reference if not anything else.

RapidSSL Commercial Certificates offer a cost effective way to add a commercial cert to your Zimbra server.

The easiet method to install a RapidSSL cert is via the CLI as the root user.

1. Start by logging into your Zimbra servers CLI via SSH.

2. As root, begin by generating a Certificate Signing Request (CSR). Below replace 'mail.yourdomain.com' with the FQDN of your Zimbra server.

# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/ST=England/L=London/O=Company Name/OU=Company Branch Name/CN=mail.yourdomain.com" -subjectAltNames mail.yourdomain.com

The above command includes the following codes:

/C = Country: The Country is a two-digit code -- for the United Kingdom, it's 'GB'. A list of country codes is available here -

/ST = State: State is a full name, i.e. 'California', 'Scotland'.

/L = Locality: Locality is a full name, i.e. 'London', 'New York'.

/O = Organization: The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.

/OU = Organizational Unit: The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.

/CN = Common Name: The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate. This will be the FQDN of your Zimbra server, e.g. mail.yourdomain.com or zimbra.yourdomain.com

3. Now upload/send the certificate request (Zimbra saves it to '/opt/zimbra/ssl/zimbra/commercial/commercial.csr') to your SSL provider. They will most likely provide you with your Commercial Certificate via an email in the form of text or an attached file.

4. Save your Commercial Certificate in a temporary file. If it was provided as plain text, you can cut and paste it into a new file using
nano

# nano /tmp/commercial.crt

5. Download and save the root Certificate Authority (CA) for RapidSSL certificates to a temporary file. (e.g. /tmp/ca.crt). Again you can cut and paste the CA text into a new file using nano.

# nano /tmp/ca.crt

The root CA for RapidSSL certificates is provided by GeoTrust and can be found here - https://ssltest12.bbtest.net/

6. Download any intermediary CAs from your SSL provider, again to a temporary file. (e.g. /tmp/ca_intermediary.crt). RapidSSL certs usually come with a single intermediary certificate. Once again, if the intermediary certificate is provided as plain text cut and paste it using nano

# nano /tmp/ca_intermediary.crt

7. Combine root and intermediary CAs into a temporary file.

# cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt

8. Verify your commercial Certificate:

# /opt/zimbra/openssl/bin/openssl verify -CAfile /tmp/ca_chain.crt /tmp/commercial.crt

9. Deploy your commercial certificate

# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt

10. To finish, verify the certificate was deployed.

# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

11. Restarting Zimbra services will ensure the new commercial certificate takes effect

# su zimbra
# zmcontrol restart