This guide will show you how to install an SSL Certificate on Zimbra – a popular email server and web client. Prior to the installation, you must generate the CSR code for your certificate and send it to the Certificate Authority. If you haven’t completed this step yet, please follow the instructions on how to generate CSR on Zimbra available in the first part of this guide. After the installation, continue reading to learn a few interesting facts about Zimbra’s history. Finally, discover the best place to buy an SSL Certificate for a Zimbra server.
Generate a CSR code on Zimbra
On Zimbra, you can generate your CSR code in two different ways: via the Admin Console, or using the command line interface.
Note: You can generate only one CSR and a private key file at a time. If you have an existing CSR code and a private key on your Zimbra server, generating a new one will overwrite the previous files.
How to generate a CSR code on Zimbra via the Admin WebApp?
- Log into your Zimbra administration console. To launch the console, type https: //server.yourdomain.com:7071 in your browser, where server.yourdomain.com is your actual server name, assigned during the Zimbra setup. Use your default admin username ([email protected]) to log in. Don’t forget to replace yourdomain.com with your website name
- In your Zimbra Administration dashboard, locate and click the Configure option in the left side menu
- Next, click Certificates in the left section
- Now, hover your mouse cursor to the upper right side over the gear icon. Click on it, and then select Install Certificate
- Form the Server Name drop-down list, choose the server name you want to secure and click Next
- In the Certificate Installation Wizard, click the radio button – Generate the CSR for the commercial certificate authorizer, then Next
- In the next window, fill in the details as shown below:
- Digest – from the drop-down list select secure hash algorithm (e.g. SHA-256)
- Key Length – follow the industry standard key length and pick 2048 bits
- Common name – specify your server hostname (e.g. mail.yourdomain.com). If you have a Wildcard certificate, tick the checkbox – Use Wildcard Common Name, then enter your server hostname with an asterisk in front of the domain name. (e.g. mail. *.yourdomain.com)
- Country Name – provide the two-letter country code (ISO 3166-1 alpha-2 standard) where your business is legally registered (e.g. US). Here you can find the full list of country codes.
- State/Province – enter the state or province where your company is located. (e.g. Montana)
- City – type city where your organization is registered (e.g. Billings)
- Organization name – provide your company’s legal name (e.g. GPI Holding LLC). If you bought a Domain Validation certificate, type NA (not available) or your full name
- Organization Unit – For Business and Extended Validation certificates, enter IT or Web Administration. For Domain Validation SSL, type NA (not available)
- Subject Alternative Names – You should fill in this field only if you have a multi-domain SSL certificate; otherwise, leave it blank
- Verify the info you’ve just entered, then click Next
- Well done! You’ve successfully generated the CSR code. To save it on your desktop, click Download the CSR and choose a save location. You can open the CSR file with any text editor such as Notepad or WordPad. Keep the CSR safe, as you will need it during the SSL order process with your vendor.
How to generate a CSR code on Zimbra using the command line?
To use the command line tool, you need SSH access to your server.
- If your Zimbra version is older than 8.7, log in as root. If your Zimbra release is 8.7 or newer, log in as Zimbra user. Use the two commands below to switch between root and Zimbra user:
su – zimbra(root > Zimbra user)
sudo su(Zimbra user > root)
- To generate the CSR code, we’ll use the
zmcrtmgrcommand line tool. By default, it resides in /opt/zimbra/bin/zmcertmgr
- Run the command below to create your CSR:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=CC/ST=State/L=City/O=Company/OU=NA/CN=yourdomain.com" –noDefaultSubjectAltName
- Now, you need to replace the values with information relevant to your certificate
- C – enter the two-letter country code. Here you can find the full list of country codes.
- ST – enter the legal state or province of your organization. If not applicable, type the city name
- L – submit the locality or city where your business is registered
- O – provide the official organization name. For example, GPI Holding LLC. If you have a Domain Validation certificate, type your full name, or simply NA (not available)
- OU – Organization unit. You may include IT or Web Administration; if you bought a Domain Validation certificate, type NA (not available)
- CN – Common name. Provide the hostname of the server you want to protect. For a wildcard certificate, add an asterisk in front of the domain name. For example: mail.*.yourdomain.com
- Here’s an example of how your command should look:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=California/L=SanJose/O=GPIHoldingLLC Inc/OU=IT/CN=server.ssldragon.com" –noDefaultSubjectAltName
If you need to secure multiple domains, adjust your command as below:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=CC/ST=State/L=City/O=Company/OU=NA/CN=server.yourdomain.com" -subjectAltNames “subdomain.yourdomain.com,seconddomain.com,thirddomain.com”
Note: Make sure you replace the example values with your company or personal details.
- Zimbra will save the new CSR (commercial.csr) in the following directory: /opt/zimbra/ssl/zimbra/commercial/commercial.csr.
- You can open it with any text editor. Alternatively, you can open it in the console via this command: cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr
- Along with your CSR Code, Zimbra will create your private key, available here: /opt/zimbra/ssl/zimbra/commercial/commercial.key. You will need it during the certificate installation
- Now that you’ve created the CSR file, you can copy-paste its contents including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– during your certificate order.
After you received the SSL files from your Certificate Authority, proceed with the installation.
Install an SSL Certificate on Zimbra
Just like the CSR generation, you have SSL installation options on Zimbra. First, we’ll do it via the WebApp administration console, and then we’ll perform the same task using Zimbra command line interface.
Note: If you didn’t generate the CSR on Zimbra, you need to install the certificate only via the command line interface.
Install an SSL Certificate on Zimbra via the Admin Console
- Log into the admin console with your admin username and password
- From the left side menu select Configure > Certificates
- Next, locate the gear icon (next to Help) on the upper right corner. Click on it, then select Install Certificate
- From the drop-down list, select the server name you want to secure and click Next
- Choose the last option – Install the commercially signed certificate and click Next
- Check the information you’ve submitted during the CSR generation and click Next
- Now, you need to upload your certificate (.crt file) and Ca bundle certificates (.ca-bundle file). You should have them on your server or desktop by now. If not, download the files from your email inbox, and extract the archived certificates. To open them, use any text editor such as Notepad. Update the following files:
- Certificate: your SSL certificate file with the .crt extension.
- RootCA: this is the last (third) certificate from your CA bundle file.
- Intermediate CA: this is the second certificate from your CA bundle file.
- Intermediate CA: this is the first certificate from your CA bundle file
Note: The 3rd certificate from the CA bundle – the RootCA – is usually either stored by default (on most old servers) or not required at all on modern servers because its format is SHA-1, not SHA-2. However, Zimbra is an exception, and it requires you to upload the SHA-1 Root CA file manually. You can find it in this FAQ item.
- Once you’ve uploaded all the files, click Next to continue
- Press the Install button, and wait. The installation may take a few minutes
- If your installation is successful, the following message will appear: “Your certificate was installed successfully. You must restart your ZCS server to apply the changes”
- Use the
su-zimbracommand to switch from root to Zimbra user. Restart your Zimbra server with the following command:
zmcontrol restart. To switch back to root, run
- After the restart, you can find the newly installed certificate in the Configuration > Certificates section. Simply click on the gear icon (upper right corner) and select View Certificate. The new page will display the SSL Certificate status.
Install an SSL Certificate on Zimbra using the command line interface
The Preferred Method
Note: This should be the preferred method of installation as any error messages, if any, are hidden by Zimbra’s WebGUI when using it. So if something goes wrong, you’ll get the error message from the zm commands directly instead of something cryptic that is of no use.
Place the signed certificate in the file certificate and the root and intermediate certificates in the file root+interm. Please make sure that the files are placed locally to where you run the command or specify the full paths:
cat >deploy <<eof
zmcertmgr deploycrt comm certificate root+interm
chmod +x deploy
- For Zimbra version older than 8.7, log in as root; otherwise, log in as a Zimbra user. Use the commands below to change between root and Zimbra user:
su – zimbra(root > zimbra user)
sudo su(zimbra user > root)
- Locate and open the zmcertmgr tool: /opt/zimbra/bin/zmcertmgr
- Now, prepare your certificate files and upload them to a directory of your choice on the server. Your certificate (.crt) and CA bundle (.ca-bundle) files were sent by the Certificate Authority to your email during the SSL validation process
Note: If you didn’t generate the CSR code on Zimbra, you also need to upload the private key file.
- For the purpose of this example, we will upload the certificate files into the /opt/ directory.
Remember! You have to replace the /opt/ directory and the certificate name, with your own location, and details.
- Upload your certificate file: /opt/yourwebsite_com.crt
- Upload your CA bundle file: /opt/yourwebsite_com.ca-bundle
Note: Your CA bundle must contain the root certificate, as well as all the intermediate certificates.
- Check that your certificate matches the private key via this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/yourwebsite_com.crt /opt/yourwebsite_com.ca-bundle
- Set up the certificate by using this command:
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/yourdomain_com.crt /opt/yourdomain_com.ca-bundle
Note: If you didn’t create the CSR on Zimbra, you must name your private key file commercial.key and upload it into the following directory: /opt/zimbra/ssl/zimbra/commercial.
- Double-check your certificate information by running this command:
- Run the
su-zimbracommand to switch from root to Zimbra user. Use
zmcontrol restartto restart your server. To return to root, run
- Congratulations! You have successfully installed the SSL Certificate using Zimbra command-line interface.
Test your SSL installation
After you install an SSL Certificate on Zimbra, it’s important to scan it for potential vulnerabilities. Better catch them early, then watch your site displaying SSL related errors. Use one of these high-end SSL tools to get instant status reports on your SSL certificate.
Zimbra history and versions
Zimbra is an email server and web client, similar to Microsoft Exchange and Outlook. Since its first release as a collaborative software in 2005, Zimbra has changed several owners, among them, the prominent Yahoo! Today, Zimbra is owned by Synacor Inc, a technology and services company based in Buffalo, New York.
Former Zimbra president and CTO Scott Dietzen revealed on his blog the origin of Zimbra’s name. It derives from the song “I Zimbra”, from the 1979 album Fear of Music by the American new wave band Talking Heads.
Below, you’ll find all the major Zimbra releases:
- Zimbra 8.8.9 GA Release (codename Curie) – released on 07-10-2018
- Zimbra 8.8.8 GA Release (codename Turin) – released on 04-02-2018
- Zimbra 8.8 GA Release (codename JudasPriest) – released on 12-12-2017
- Zimbra 8.7.0 GA Release (codename JudasPriest) – released on 07-13-2016
- Zimbra 8.6.0 GA Release (codename JudasPriest) – released on 12-15-2014 (no longer supported)
- Zimbra 8.5.0 GA Release (codename JudasPriest) – released on 08-28-2014 (no longer supported).
Where to buy an SSL Certificate for Zimbra?
The best place to buy an SSL Certificate for your Zimbra server is from a reliable SSL reseller such as SSL Dragon. Along with the lowest prices anywhere on the market, we offer regular discounts and great deals on all our SSL products. All our certificates are compatible with Zimbra, and you can always use our exclusive tools such as SSL Wizard and Advanced Certificate Filter to find the ideal SSL product for your website. We offer the following types of certificates:
- Domain Validation
- Business Validation
- Extended Validation
- Code Signing
- IP Address
SSL Dragon takes care of your sensitive data security, so your website or business can thrive online!
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.