Configuring Zimbra to use your own (commercial) SSL certificate

I recently installed a new instance of Zimbra 8.0 (actually, I started just before 8.0 came out and upgrade 7.0 to 8.0) and wanted to enable SSL with our wildcard domain certificate. However, documentation on this is scattered all around the web, and even on Zimbra’s own wiki there are tons of outdated or unclear pages.

Thanks to a tip on IRC from Stijn I had a good starting point, so here’s what I did to get my certificate running.

Note: Our registrar AlphaSSL uses an intermediate certificate below GlobalSign CA, just like StartCom uses different intermediate certificates below their own CA; this calls for an extra step below.

Fetch GlobalSign CA root cert: wget http://www.alphassl.com/support/roots/root.pem

Copy/paste the AlphaSSL intermediate certificate from AlphaSSL’s support pages into AlphaSSLroot.crt

Place the private key file of your certificate in Zimbra’s commercial key location:

# cp domain.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

This is the step you need to take only when you need an intermediate certificate, I believe. I don’t have one to test directly under the CA, so I can’t say for sure:

# cat root.pem AlphaSSLroot.crt > ca_bundle.crt

Place your domain certificate in /root/ssl/domain.crt (or substitute appropriately below) and install the cert/key combination:

# cd /opt/zimbra/bin
# ./zmcertmgr deploycrt comm /root/ssl/domain.crt /root/ssl/ca_bundle.crt
** Verifying /root/ssl/domain.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/ssl/domain.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/ssl/domain.crt: OK
** Copying /root/ssl/domain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/ssl/ca_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

If your chain is broken because of a missing intermediate certificate, you’ll get an error here: Unable to get issuer certificate. Fix your ca_bundle.crt file and try again.

Import the certificate into Java’s key repository:

# /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit --file /opt/zimbra/ssl/zimbra/commercial/commercial.crt
Owner: CN=*.domain.com, O=*.domain.com, OU=Domain Control Validated, C=BE
Issuer: CN=Alpha CA, O=Alpha, OU=Alpha CA
Serial number: 10000000001189d614161
Valid from: Tue Mar 11 11:27:19 CET 2008 until: Mon Mar 11 11:27:10 CET 2013
(...)
Trust this certificate? [no]: yes
Certificate was added to keystore

Don’t forget to configure Zimbra to use SSL:

zmtlsctl redirect

I use redirect, so that people visiting on http get redirected to https immediately. More information about the different modes can be found here.

All that’s left now is to restart the Zimbra suite:

# su - zimbra
$ zmcontrol restart
Host zimbra.domain.com
Stopping vmware-ha...Done.
(...)
Starting stats...Done.

Writing informative technical how-to documentation takes time, dedication and knowledge. Should my blog series have helped you in getting things working the way you want them to, or configure certain software step by step, feel free to tip me via PayPal (paypal@powersource.cx) or the Flattr button. Thanks!
  • Thank you, mate! Saved me several hours of self-investigation! Works like a charm.

  • You can also install the certificate in the ZCS Admin Console (8.0.7): Configure | Certificates. Click on the drop down on the right and select “Install Certificate.”

    You can also verify it:
    /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt

    There are also some third party websites that have SSL checkers to confirm things like intermediate certificates are installed correctly.

    • Tom Laermans

      Thanks! That is indeed correct. I’m not sure that was in 8.0 already, though… or if it was, it might have been well-hidden, or I just didn’t look far enough 🙂

  • Tom Laermans

    I replaced it with a new one last week due to heartbleed, totally forgot I documented this here, and I didn’t import the key into the keystore myself… hmm..

  • KT

    Hi,

    After installing wildcard ssl on 8.6.0 i got this error while sending emails.
    warning: cannot get RSA private key from file /opt/zimbra/conf/smtpd.key: disabling TLS support
    warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
    warning: TLS library problem: error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:458:
    warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

    Please help me about this problem.

    Best Regards.