How To Install SSL Certificate on Zimbra Collaboration Server via command line (CLI)
We are publishing this Zimbra tutorial as a lot of customers have reported an issue when trying to install their SSL Certificate using Zimbra’s Admin Console (GUI).
The steps listed below have been proof-tested on Zimbra Collaboration Open Source and Network editions (ZCS 8.7). If you are using an older or newer version of Zimbra and you are a NetShop ISP customer please contact our Support team for assistance.
Installing SSL Certificate using the CLI
Pre-requisites
- Zimbra Collaboration Suite (Open Source or Network) installed on a Linux server
- SSH access on the server
- Active (non-expired) SSL Certificate from your vendor (Don’t have one? Order EssentialSSL at €16.85/year)
- You have the following SSL Certificate files: Bundle (Root, Intermediate) and Certificate
- SSL key exists on your Zimbra server (/opt/zimbra/ssl/zimbra/commercial/commercial.key)
Step 1 — Upload Certificate on Server
As zimbra user, create a temporary file under (/tmp) and paste the Root and Intermediate certificates content (may be a single file named Bundle):
[root@zimbra-netshop /]$ su - zimbra
[zimbra@zimbra-netshop ~]$ vi /tmp/commercial_ca.crtSave the file and exit.
Then, place the SSL Certificate in /tmp/commercial.crt
[zimbra@zimbra-netshop ~]$ vi /tmp/commercial.crtSave the file and exit.
Step 2 — Verify SSL Certificate and Key
Do a dry-run to check if your Certificate chain (Certificate, Intermediate CA, Root) and your private key are OK. If you receive an error after executing the following command, contact your Zimbra server administrator.
[zimbra@zimbra-netshop ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crtIdeal output should be:
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK
Step 3 — Deploy Certificate with zmcertmgr command
Deploy your SSL certificate with zmcertmgr command:
[zimbra@zimbra-netshop ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crtIdeal output should be:
[ … ]
** Installing proxy certificate and key…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing CA to /opt/zimbra/conf/ca…done.
Step 4 — Restart Zimbra Services
Execute the following command as zimbra user:
[root@zimbra-netshop /]$ su zimbra
[zimbra@zimbra-netshop ~]$ zmcontrol restartYou are all set! You can navigate to your Zimbra server’s hostname and confirm you can access the Web interface via https.
