See also Using LetsEncrypt SSL Certificates with Zimbra

Useful for Wildcard Certs: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm

http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers

http://wiki.zimbra.com/wiki/SSL_certificates_per_domain

http://jamesreubenknowles.com/adding-a-godaddy-ssl-certificate-to-zimbra-7-1360

http://www.zimbra.com/forums/administrators/48461-solved-fyi-how-i-got-godaddy-ssl-certificate-installed-into-zimbra-7-a.html

https://www.digicert.com/help/

Newer Zimbra installers default to installing the proxy component.

http://wiki.zimbra.com/wiki/CLI_zmtlsctl_to_set_Web_Server_Mode

This will redirect all HTTP connections to HTTPS:

su - zimbra
zmtlsctl redirect
exit
reboot

http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Protocol_Requirements_Including_HTTPS_Redirect

zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect

reboot

If you have problems when installing or renewing a commercial cert, try installing a self-signed cert first, then install the commercial cert.

If you continue to have problems, consider using the CLI.

http://www.andrewklau.com/adding-my-own-wildcard-ssl-certificate-to-zimbra-collabration-server-8/

http://www.sononaco.com/blog/wildcard-comodo-ssl-chains-and-zimbra/

https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools

Zimbra Admin → Configure → Certificates → (gear icon) → Install Certificates

Comodo commercial certificate example

1. Run the certificate wizard and generate a CSR
   • If renewing, you can just use the existing CSR
2. Order the SSL certificate using the CSR you just created
3. Run the certificate wizard again to install the commercial cert you purchased
   1. Add a second intermediate CA certificate field if necessary
      • Click the link Add Intermediate CA
   2. Load the new server certificate
      • mail_yourdomain_com.crt
   3. Load the root CA certificate
      • AddTrustExternalCARoot.crt
   4. Load the first intermediate cert that came with your server certificate
      • COMODORSAAddTrustCA.crt
   5. Load the Second intermediate cert that came with your server certificate
      • COMODORSADomainValidationSecureServerCA.crt
   6. Click Install

If any errors are thrown, double-check that you are using the correct root and intermediate certificates. That's usually where the problem lies.

If the GUI cert installation fails, create and install a new self-signed cert, reboot, then use the CLI to install the new cert.

https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration

Generate the CSR (certificate signing request and the private key) using Zimbra Admin Console (ZAC):

ZAC → Configure → Certificates → YourZimbraHostName → Gear Icon → Install New Certificate

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames "name2.example.com,example.com"

Purchase the SSL certificate using the CSR just created.

Create the file commercial_ca.crt by concatenating the 3 files that Comodo sent to you. CLI example:

cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > commercial_ca.crt

Install the SSL certificate, as user root:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

If your self-signed cert expires, or if you have problems when installing a commercial cert, you can use the following script to rebuild the SSL configuration and implement a self-signed certificate.

Check for expired certificates, run the following command as the zimbra user:

/opt/zimbra/libexec/zmcheckexpiredcerts -days 1 -verbose

Run the following commands run as the zimbra user to regenerate the self-signed SSL certificates:

su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'

Create new certificate:

su - zimbra
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 
/opt/zimbra/bin/zmcertmgr deploycrt self
zmcontrol restart

##################################################
# Regenerate SSL Cert
##################################################
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
# Java version dependent?
/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/openjdk-1.8.0_172-zimbra/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`

su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'

su - zimbra -c 'zmcontrol start'

su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'

su - zimbra -c 'zmupdateauthkeys'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'