How to Install a Comodo SSL Certificate in zimbra Email Server
Use the article as a guide to installing a Comodo issued SSL certificate with the zmcertmgr tool Using the CLI
Get the Bundle from Comodo in crt format, or sometimes like a zip file. It is always good to call or write Comodo and obtain the proper Bundle, but you can also download each file from your email and web control panel.
Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files: replace : STAR_linuxits_com.crt to your certificate
- AAACertificateServices.crt
- USERTrustRSAAAACA.crt
- SectigoRSADomainValidationSecureServerCA.crt
- STAR_linuxits_com.crt
Download Sectigo Intermediate Certificates - RSA
Note the root and intermediate files may have different names depends of the SSL Certificate, like PositiveSSL, etc.
To Create Folder /opt/ssl_cert
mkdir /opt/ssl_cert
To move all files into /opt/ssl_cert and When you create CSR file, this file will create STAR_linuxits_com.key
- STAR_linuxits_com.crt
- STAR_linuxits_com.key
- AAACertificateServices.crt
- USERTrustRSAAAACA.crt
- SectigoRSADomainValidationSecureServerCA.crt
cd /opt/ssl_cert
And confirm the list of files available in the location : /opt/ssl_cert and
cat /opt/ssl_cert/STAR_linuxits_com.crt
cat /opt/ssl_cert/STAR_linuxits_com.key
cat /opt/ssl_cert/AAACertificateServices.crt
cat /opt/ssl_cert/USERTrustRSAAAACA.crt
cat /opt/ssl_cert/SectigoRSADomainValidationSecureServerCA.crt
Cat the CA certs to form a single CA certificate chain file
cat AAACertificateServices.crt USERTrustRSAAAACA.crt SectigoRSADomainValidationSecureServerCA.crt > /opt/ssl_cert/commercial_ca.crt
SSL certificate key file copy to commercial.key
cp /opt/ssl_cert/STAR_linuxits_com.key /opt/ssl_cert/commercial.key
Place the SSL certificate in commercial.crt
cp /opt/ssl_cert/STAR_linuxits_com.crt /opt/ssl_cert/commercial.crt
Make sure the 3 files are available
ls -lah | grep commercial
Backup previous key file
cp -r /opt/zimbra/ssl/zimbra/commercial /opt/zimbra/ssl/zimbra/commercial.backup
Copy key file to /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp /opt/ssl_cert/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key -y
Check that your SSL certificate, your private key and the Intermediate CA are OK, this step is important and you should not continue if you receive an error here:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/ssl_cert/commercial.crt /opt/ssl_cert/commercial_ca.crt
The output will be like this if there is any error, find out the solution before moving forward.
[zimbra@mail ssl_cert]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl_cert/commercial.crt /opt/zimbra/ssl_cert/commercial_ca.crt ** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl_cert/commercial_ca.crt' Valid certificate chain: /opt/zimbra/ssl_cert/commercial.crt: OK
Deploy the commercial certificate with zmcertmgr as the root/zimbra user.
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/ssl_cert/commercial.crt /opt/ssl_cert/commercial_ca.crt
The output will be like this if there is any error, find out the solution before moving forward.
[zimbra@mail ssl_cert]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl_cert/commercial.crt /opt/zimbra/ssl_cert/commercial_ca.crt ** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl_cert/commercial_ca.crt' Valid certificate chain: /opt/zimbra/ssl_cert/commercial.crt: OK ** Copying '/opt/zimbra/ssl_cert/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/opt/zimbra/ssl_cert/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/opt/zimbra/ssl_cert/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.baf.mil.bd...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.baf.mil.bd...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 9 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/d73eb532.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/65ff7287.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/fc5a8f99.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt ** Removing /opt/zimbra/conf/ca/ee64a828.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'd73eb532.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink 'ee64a828.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_2.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt ** Creating CA hash symlink '65ff7287.0' -> 'commercial_ca_3.crt' [zimbra@mail ssl_cert]$
If everything is like this or there is no error, then restart Zimbra service.
su zimbra zmcontrol restart
Conclusion
In this tutorial, Setting Up a Comodo SSL Certificate on Zimbra Email server.