This guide shows you how to install an SSL certificate on Zimbra, a popular email server and web client. You can do it two ways: through the Zimbra Admin Console or from the command line with zmcertmgr.
We also recorded a video that walks you through the entire process. Watch it below, or keep reading for the text version.
Generate a CSR on Zimbra
If you have already generated your CSR code and only need the installation steps, skip ahead to Install an SSL certificate on Zimbra.
To obtain an SSL certificate from a trusted CA (Certificate Authority), you must first submit a CSR (Certificate Signing Request). A CSR is a block of encoded text that contains your contact and organization details. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR in Zimbra.
During the order process with your SSL vendor, open the CSR file in any plain-text editor and copy-paste the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, into the corresponding box. Once the CA validates your request and issues the certificate, continue with the installation below.
Install an SSL certificate on Zimbra
On Zimbra you can install an SSL certificate in two ways: through the Admin Console or with the command-line interface. We’ll cover the Admin Console first, then the same task from the CLI.
Note: the Admin Console wizard works only if you generated the CSR on Zimbra, because it pairs the uploaded certificate with the matching private key it created at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR elsewhere, use the command-line method and place that key on the server yourself.
Method 1: Install via the Admin Console
Step 1: Start the certificate wizard
- Log into the Admin Console with your admin username and password.
- From the left-side menu, select Configure then Certificates.
- Locate the gear icon (next to Help) in the upper-right corner. Click it, then select Install Certificate.
- From the drop-down list, select the server name you want to secure and click Next.
- Choose the last option, Install the commercially signed certificate, and click Next.
- Review the details you submitted during CSR generation and click Next.
Step 2: Upload your certificate files
Upload your certificate (the .crt file) and the CA bundle (the .ca-bundle file). You should already have these on your server or desktop. If not, download them from your email inbox and extract the archive. To open them, use any plain-text editor such as Notepad. The wizard asks for two files:
- Certificate: your SSL certificate file with the .crt extension.
- CA bundle (.ca-bundle): the intermediate and root certificates. If your CA gave you one combined chain file, use that here.
Important: Zimbra needs the full chain, meaning your server certificate plus the intermediate(s) and the root. If the chain is incomplete, some clients will still show trust warnings. Once you’ve uploaded both files, click Next to continue.
Step 3: Complete the installation
Click Install and wait for Zimbra to confirm. You should see a message like this:
Your certificate was installed successfully. You must restart your ZCS server to apply the changes.
Step 4: Restart the server
Switch from root to the zimbra user:
su - zimbra
Restart the Zimbra server:
zmcontrol restart
To return to the root account afterward, type exit (or run sudo su from a regular account). After the restart, you can review the new certificate under Configure then Certificates: click the gear icon in the upper-right corner and select View Certificate to see its status.
Method 2: Install via the command line (recommended)
The CLI is the more reliable option because it prints exact error messages if something goes wrong, and it’s the only option if you generated your CSR off-server.
Step 1: Prepare your files
- Server certificate (the .crt file from your CA). This guide refers to it as yourdomain.crt.
- Chain file (commercial_ca.crt). Build this yourself by placing the intermediate certificate(s) first, then the root CA, in that order.
- Private key (commercial.key). This must live at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR on Zimbra, it’s already there; otherwise copy your key into that path and name it commercial.key.
To build the chain file from your intermediate and root certificates, concatenate them in order (intermediates first, then root):
cat intermediate.crt root.crt > /opt/commercial_ca.crt
Step 2: Verify the certificate
Confirm that your certificate, private key, and chain all match before deploying. Adjust the paths to match where you saved the files:
/opt/zimbra/bin/zmcertmgr verifycrt comm \
/opt/zimbra/ssl/zimbra/commercial/commercial.key \
/opt/yourdomain.crt \
/opt/commercial_ca.crt
If everything matches, each check returns OK. Do not deploy until verification passes; a mismatched key or an incomplete chain is the most common cause of a failed install.
Step 3: Deploy the certificate
Deploy the verified certificate to all Zimbra services:
/opt/zimbra/bin/zmcertmgr deploycrt comm \
/opt/yourdomain.crt \
/opt/commercial_ca.crt
This copies the certificate and chain into Zimbra’s keystores for every service (LDAP, the mailbox/web service, MTA, and the proxy).
Step 4: Restart Zimbra
Switch to the zimbra user:
su - zimbra
Restart the services so they pick up the new certificate:
zmcontrol restart
Once the services are back up, confirm the deployed certificate:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
The output lists the certificate Zimbra is now serving for each service, including its issuer and validity dates. You’ve successfully installed the SSL certificate on Zimbra from the command line.
Test your SSL installation
After installing the certificate, it’s wise to scan your configuration for errors or vulnerabilities so you can catch problems before users do. Our SSL Checker gives you an instant status report on your certificate and chain, so you can confirm the full chain is served and the protocols are configured correctly.
Frequently Asked Questions
Both work. The command line with zmcertmgr is the more reliable choice because it shows the exact error if verification fails, and it’s the only option when you generated your CSR somewhere other than Zimbra. Use the Admin Console wizard only when the matching private key already sits at /opt/zimbra/ssl/zimbra/commercial/commercial.key, which is the case when you created the CSR on the server itself.
The commercial private key must be at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR on Zimbra, the key is already there. If not, copy your key into that directory and name it commercial.key before running zmcertmgr verifycrt.
The chain file (commercial_ca.crt) lists the intermediate certificate(s) first, then the root CA last. If you have more than one intermediate, place them in order from the one that signed your certificate up toward the root. Getting this order wrong is a common reason zmcertmgr verifycrt fails.
The two usual causes are a key that doesn’t match the certificate, and an incomplete or wrongly ordered chain file. Confirm the key at /opt/zimbra/ssl/zimbra/commercial/commercial.key is the one generated with your CSR, and that commercial_ca.crt contains the intermediate(s) followed by the root. Always run verifycrt and get a passing result before you run deploycrt.
Yes. After deploying or installing the certificate, switch to the zimbra user and run zmcontrol restart so every service loads the new certificate. You can then confirm the result with /opt/zimbra/bin/zmcertmgr viewdeployedcrt.
Run /opt/zimbra/bin/zmcertmgr viewdeployedcrt as the zimbra user to list the deployed certificate for each service. In the Admin Console, go to Configure then Certificates, click the gear icon, and select View Certificate. For an external check, scan the server with our SSL Checker.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


