How to Install a Comodo SSL Certificate in zimbra Email Server

How to Install a Comodo SSL Certificate in zimbra Email Server

Use the article as a guide to installing a Comodo issued SSL certificate with the zmcertmgr tool Using the CLI

Get the Bundle from Comodo in crt format, or sometimes like a zip file. It is always good to call or write Comodo and obtain the proper Bundle, but you can also download each file from your email and web control panel.

Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files: replace : STAR_linuxits_com.crt to your certificate

• AAACertificateServices.crt
• USERTrustRSAAAACA.crt
• SectigoRSADomainValidationSecureServerCA.crt
• STAR_linuxits_com.crt

Download Sectigo Intermediate Certificates - RSA 

Note the root and intermediate files may have different names depends of the SSL Certificate, like PositiveSSL, etc.

To Create Folder /opt/ssl_cert

mkdir /opt/ssl_cert

To move all files into /opt/ssl_cert and When you create CSR file, this file will create STAR_linuxits_com.key

• STAR_linuxits_com.crt
• STAR_linuxits_com.key
• AAACertificateServices.crt
• USERTrustRSAAAACA.crt
• SectigoRSADomainValidationSecureServerCA.crt

cd /opt/ssl_cert

And confirm the list of files available in the location : /opt/ssl_cert and

cat /opt/ssl_cert/STAR_linuxits_com.crt 

cat /opt/ssl_cert/STAR_linuxits_com.key 

cat /opt/ssl_cert/AAACertificateServices.crt 

cat /opt/ssl_cert/USERTrustRSAAAACA.crt 

cat /opt/ssl_cert/SectigoRSADomainValidationSecureServerCA.crt

Cat the CA certs to form a single CA certificate chain file

cat AAACertificateServices.crt USERTrustRSAAAACA.crt SectigoRSADomainValidationSecureServerCA.crt > /opt/ssl_cert/commercial_ca.crt

SSL certificate key file copy to commercial.key

cp /opt/ssl_cert/STAR_linuxits_com.key  /opt/ssl_cert/commercial.key 

Place the SSL certificate in commercial.crt

cp /opt/ssl_cert/STAR_linuxits_com.crt  /opt/ssl_cert/commercial.crt 

Make sure the 3 files are available

 ls -lah |  grep commercial

Backup previous key file

 cp -r /opt/zimbra/ssl/zimbra/commercial /opt/zimbra/ssl/zimbra/commercial.backup 

Copy key file to /opt/zimbra/ssl/zimbra/commercial/commercial.key

 cp /opt/ssl_cert/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key -y 

Check that your SSL certificate, your private key and the Intermediate CA are OK, this step is important and you should not continue if you receive an error here:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/ssl_cert/commercial.crt /opt/ssl_cert/commercial_ca.crt 

The output will be like this if there is any error, find out the solution before moving forward.

[zimbra@mail ssl_cert]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl_cert/commercial.crt /opt/zimbra/ssl_cert/commercial_ca.crt
** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl_cert/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl_cert/commercial.crt: OK

Deploy the commercial certificate with zmcertmgr as the root/zimbra user.

/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/ssl_cert/commercial.crt /opt/ssl_cert/commercial_ca.crt   

The output will be like this if there is any error, find out the solution before moving forward.

[zimbra@mail ssl_cert]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl_cert/commercial.crt /opt/zimbra/ssl_cert/commercial_ca.crt
** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl_cert/commercial.crt' against '/opt/zimbra/ssl_cert/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl_cert/commercial.crt: OK
** Copying '/opt/zimbra/ssl_cert/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/ssl_cert/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/ssl_cert/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.baf.mil.bd...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.baf.mil.bd...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/d73eb532.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/65ff7287.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/fc5a8f99.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/ee64a828.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'd73eb532.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'ee64a828.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '65ff7287.0' -> 'commercial_ca_3.crt'
[zimbra@mail ssl_cert]$

If everything is like this or there is no error, then restart Zimbra service.

su zimbra
zmcontrol restart

Conclusion

In this tutorial, Setting Up a Comodo SSL Certificate on Zimbra Email server.