User Tools

Site Tools


This is an old revision of the document!

Zimbra SSL - Redirection and Certificates

Certificate Checker

Force the Use of SSL

:!: Newer Zimbra installers default to installing the proxy component.

No Proxy

This will redirect all HTTP connections to HTTPS:

su - zimbra
zmtlsctl redirect

With Proxy

zmprov ms zimbraReverseProxyMailMode redirect


Commercial Certificates

:!: If you have problems when installing or renewing a commercial cert, try installing a self-signed cert first, then install the commercial cert.

:!: If you continue to have problems, consider using the CLI.

Zimbra Admin → Configure → Certificates → (gear icon) → Install Certificates

:!: Comodo commercial certificate example

  1. Run the certificate wizard and generate a CSR
    • If renewing, you can just use the existing CSR
  2. Order the SSL certificate using the CSR you just created
  3. Run the certificate wizard again to install the commercial cert you purchased
    1. Add a second intermediate CA certificate field if necessary
      • Click the link Add Intermediate CA
    2. Load the new server certificate
      • mail_yourdomain_com.crt
    3. Load the root CA certificate
      • AddTrustExternalCARoot.crt
    4. Load the first intermediate cert that came with your server certificate
      • COMODORSAAddTrustCA.crt
    5. Load the Second intermediate cert that came with your server certificate
      • COMODORSADomainValidationSecureServerCA.crt
    6. Click Install

:!: If any errors are thrown, double-check that you are using the correct root and intermediate certificates. That's usually where the problem lies.


:!: If the GUI cert installation fails, create and install a new self-signed cert, reboot, then use the CLI to install the new cert.

Generate the CSR (certificate signing request and the private key) using Zimbra Admin Console (ZAC):

ZAC → Configure → Certificates → YourZimbraHostName → Gear Icon → Install New Certificate

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/" -subjectAltNames ","

Purchase the SSL certificate using the CSR just created.

Create the file commercial_ca.crt by concatenating the 3 files that Comodo sent to you. CLI example:

cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > commercial_ca.crt

Install the SSL certificate, as user root:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Self-Signed Certificates

:!: If your self-signed cert expires, or if you have problems when installing a commercial cert, you can use the following script to rebuild the SSL configuration and implement a self-signed certificate.

Newest Quickie Renew Expired Self-Signed SSL Certificate

Check for expired certificates, run the following command as the zimbra user:

/opt/zimbra/libexec/zmcheckexpiredcerts -days 1 -verbose

Run the following commands run as the zimbra user to regenerate the self-signed SSL certificates:

su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'

Quickie Renew Expired Self-Signed SSL Certificate

Log in as root and create new certificate:

/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 
/opt/zimbra/bin/zmcertmgr deploycrt self

su - zimbra
zmcontrol restart

SSL Rebuild Script

# Regenerate SSL Cert
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
# Java version dependent?
/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/openjdk-1.8.0_172-zimbra/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`

su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'

su - zimbra -c 'zmcontrol start'

su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'

su - zimbra -c 'zmupdateauthkeys'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'
internet/mail/zimbra/zimbra_ssl.1596996090.txt.gz · Last modified: 2020/08/09 12:01 by gcooper