This guide shows you how to generate a CSR (Certificate Signing Request) on Zimbra Collaboration Suite (ZCS). You have two options: the Zimbra Administration Console (the web UI) or the command line with zmcertmgr. Both create the same pair of files on the server: a CSR you submit to your Certificate Authority and a matching private key that stays on Zimbra. The CLI is the faster path on modern ZCS 10.x and gives you exact control over the SAN list, key size, and digest.
Zimbra stores the commercial CSR and key in fixed locations under /opt/zimbra/ssl/zimbra/commercial/. Only one commercial CSR and key pair can exist at a time, so running createcsr again overwrites the previous files. Generate the CSR once, save a copy of both files in a safe place, and submit the CSR to your CA.
Prerequisites
- A running Zimbra Collaboration Suite server. ZCS 10.1.x (Daffodil) is the current widely-deployed release; the steps below also work on ZCS 9.0.x and 8.8.x.
- SSH access to the Zimbra server, plus root or sudo on that host (for the CLI method).
- Admin credentials for the Zimbra Administration Console at https://server.yourdomain.com:7071 (for the web UI method).
- The fully qualified hostname your mail clients connect to, for example mail.example.com. This is the value that goes in the Common Name (CN) and as the first Subject Alternative Name (SAN).
Generate a CSR on Zimbra via the Administration Console
If you prefer a graphical workflow, the Certificate Installation Wizard built into the Administration Console walks you through every field. Generating the CSR here also creates the matching private key on the server at /opt/zimbra/ssl/zimbra/commercial/commercial.key, which is exactly where the later install step expects to find it.
Step 1: Log into the Zimbra Administration Console
Open a browser and go to https://server.yourdomain.com:7071, replacing server.yourdomain.com with the server name you set during the Zimbra setup. Log in with the admin account you created during installation (typically [email protected]).
Step 2: Start the certificate wizard
- In the left navigation, click Configure, then Certificates.
- Click the gear icon in the upper-right corner (next to Help) and choose Install Certificate.
- From the Server Name drop-down, select the server you want to secure, then click Next.
- Choose Generate the CSR for the commercial certificate authorizer, then click Next.
Step 3: Fill in the CSR details
The wizard asks for the same fields any CA needs to validate and issue the certificate. Use accurate, current information; mismatches between the CSR and your business records are a common reason validation fails.
- Digest: select SHA-256. SHA-1 is no longer trusted by any public CA.
- Key Length: select 2048 bits (the public minimum). 4096 is also accepted if your security policy requires a larger key.
- Common Name: enter the fully qualified hostname your users connect to, for example mail.example.com. For a Wildcard certificate, tick Use Wildcard Common Name and enter *.example.com.
- Country Name: the two-letter ISO 3166-1 alpha-2 code where your organization is legally registered, for example US.
- State/Province: the full state or province name, not an abbreviation (for example California, not CA).
- City: the city where your organization is registered.
- Organization Name: your company’s legal name as it appears in public records, for example Example LLC. For a Domain Validation (DV) certificate, you can use your full name or leave it blank.
- Organization Unit: leave blank. Public CAs no longer include the OU field (deprecated by the CA/Browser Forum). If the form will not accept an empty value, enter NA just to proceed; the CA will strip or ignore it.
- Subject Alternative Names: for a Multi-Domain (SAN) certificate, list every additional hostname here, separated by commas. For a single-name or Wildcard certificate, leave this field blank.
Review the values one more time and click Next. Zimbra generates the CSR and key on the server.
Step 4: Download the CSR
Click Download the CSR and save the file. Open it in any plain-text editor (Notepad, TextEdit, or vim) and copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– markers, into the SSL order form your CA provides. Before you submit, you can paste the CSR into our CSR Decoder to confirm every field reads back correctly.
Generate a CSR on Zimbra using the command line
The CLI is the most direct way to generate a CSR on Zimbra, and it is the only way to fully control the SAN list, key size, and digest from a single command. You run zmcertmgr as the zimbra user; on ZCS 8.7 and later you should not run it as root.
Step 1: Connect to the server and switch to the zimbra user
SSH into the Zimbra server, then switch from root to the zimbra user. Use a hyphen with spaces around it; the hyphen sets up a clean login shell with Zimbra’s environment loaded:
su - zimbra
To return to root afterward, type exit, or run sudo su from a regular account.
Step 2: Run zmcertmgr createcsr
The zmcertmgr tool lives at /opt/zimbra/bin/zmcertmgr. The createcsr comm subcommand creates a commercial CSR and matching key. Run the command below as the zimbra user, on one line (the backslashes let you split it across multiple lines for readability):
/opt/zimbra/bin/zmcertmgr createcsr comm -new \
-keysize 2048 \
-digest sha256 \
-subject "/C=US/ST=California/L=San Jose/O=Example LLC/CN=mail.example.com" \
-subjectAltNames "mail.example.com"
Replace the example values with your own. Here is what each flag does:
- comm: create a commercial CSR (as opposed to self, which produces a self-signed certificate).
- -new: generate a fresh key and CSR. Without this, zmcertmgr tries to reuse an existing key.
- -keysize 2048: RSA key size in bits. 2048 is the public minimum; use 4096 if your policy requires it.
- -digest sha256: signature digest. SHA-256 is the current standard.
- -subject “/C=…/CN=…”: the distinguished name. Set CN to the primary hostname. Omit OU: public CAs deprecated it.
- -subjectAltNames “host1,host2,…”: comma-separated list of every hostname the certificate must cover. Include the CN here too: modern CAs and browsers validate against the SAN list, not the legacy CN field.
For a Multi-Domain certificate that covers several hostnames, list them all in -subjectAltNames:
/opt/zimbra/bin/zmcertmgr createcsr comm -new \
-keysize 2048 \
-digest sha256 \
-subject "/C=US/ST=California/L=San Jose/O=Example LLC/CN=mail.example.com" \
-subjectAltNames "mail.example.com,webmail.example.com,smtp.example.com"
For a Wildcard certificate, use the *.example.com form in both the CN and the SAN. A wildcard covers one level of subdomain (so *.example.com covers mail.example.com and webmail.example.com, but not example.com itself or a.b.example.com):
/opt/zimbra/bin/zmcertmgr createcsr comm -new \
-keysize 2048 \
-digest sha256 \
-subject "/C=US/ST=California/L=San Jose/O=Example LLC/CN=*.example.com" \
-subjectAltNames "*.example.com"
If you do not need any SANs at all (rare on modern CAs), append -noDefaultSubjectAltName to suppress the SAN block entirely:
/opt/zimbra/bin/zmcertmgr createcsr comm -new \
-keysize 2048 \
-digest sha256 \
-subject "/C=US/ST=California/L=San Jose/O=Example LLC/CN=mail.example.com" \
-noDefaultSubjectAltName
Step 3: Locate and copy the CSR
Zimbra writes the new CSR and key to fixed paths:
- CSR: /opt/zimbra/ssl/zimbra/commercial/commercial.csr
- Private key: /opt/zimbra/ssl/zimbra/commercial/commercial.key
Print the CSR to the terminal:
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr
Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– markers, and paste it into the SSL order form your CA provides. Keep the matching commercial.key on the server; you will need it during installation.
Step 4: Verify the CSR before submitting
Before you submit the CSR, decode it to confirm the CN, the SAN list, the key size, and the organization fields look correct. A typo caught now is one less re-issue request after the CA validates.
On the server, use OpenSSL:
openssl req -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr -noout -text
Or paste the CSR block into our CSR Decoder for a human-readable breakdown of every field.
Next steps: install the issued certificate
Once the CA validates your CSR and issues the certificate, follow our guide on how to install an SSL certificate on Zimbra to deploy it. The install steps use the commercial.key that Zimbra created at /opt/zimbra/ssl/zimbra/commercial/commercial.key, so leave that file in place.
Frequently Asked Questions
Either works. The CLI with zmcertmgr createcsr comm is the more direct option and gives you full control of the SAN list, the key size, and the digest from one command. The Administration Console wizard is the better fit if you prefer a guided form. Both methods write the same files to the same paths, so the later install workflow is identical.
Zimbra writes the commercial CSR to /opt/zimbra/ssl/zimbra/commercial/commercial.csr and the matching private key to /opt/zimbra/ssl/zimbra/commercial/commercial.key. These paths are fixed; the install step expects to find the key in exactly that location.
No. Zimbra stores one commercial CSR and one matching key at a time. Running zmcertmgr createcsr comm -new again overwrites both commercial.csr and commercial.key. Back up the previous pair before you regenerate if you still need them.
Run it as the zimbra user. Switch from root with su - zimbra (note the spaces around the hyphen, which sets up a login shell with Zimbra’s environment). Running CSR or certificate commands as root on ZCS 8.7 and later can leave files with the wrong ownership and cause permission errors when services try to read them.
List them all in the -subjectAltNames flag as a comma-separated string, and include the Common Name in the SAN list too. For example: -subjectAltNames "mail.example.com,webmail.example.com,smtp.example.com". Modern browsers and CAs validate against the SAN list, not the legacy Common Name field, so a hostname missing from the SAN will not be trusted.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


