bg-tutorials

How to Install an SSL Certificate on Zimbra

This guide shows you how to install an SSL certificate on Zimbra, a popular email server and web client. You can do it two ways: through the Zimbra Admin Console or from the command line with zmcertmgr.

We also recorded a video that walks you through the entire process. Watch it below, or keep reading for the text version.

Generate a CSR on Zimbra

If you have already generated your CSR code and only need the installation steps, skip ahead to Install an SSL certificate on Zimbra.

To obtain an SSL certificate from a trusted CA (Certificate Authority), you must first submit a CSR (Certificate Signing Request). A CSR is a block of encoded text that contains your contact and organization details. You have two options:

During the order process with your SSL vendor, open the CSR file in any plain-text editor and copy-paste the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, into the corresponding box. Once the CA validates your request and issues the certificate, continue with the installation below.

Install an SSL certificate on Zimbra

On Zimbra you can install an SSL certificate in two ways: through the Admin Console or with the command-line interface. We’ll cover the Admin Console first, then the same task from the CLI.

Note: the Admin Console wizard works only if you generated the CSR on Zimbra, because it pairs the uploaded certificate with the matching private key it created at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR elsewhere, use the command-line method and place that key on the server yourself.

Method 1: Install via the Admin Console

Step 1: Start the certificate wizard

  • Log into the Admin Console with your admin username and password.
  • From the left-side menu, select Configure then Certificates.
  • Locate the gear icon (next to Help) in the upper-right corner. Click it, then select Install Certificate.
  • From the drop-down list, select the server name you want to secure and click Next.
  • Choose the last option, Install the commercially signed certificate, and click Next.
  • Review the details you submitted during CSR generation and click Next.

Step 2: Upload your certificate files

Upload your certificate (the .crt file) and the CA bundle (the .ca-bundle file). You should already have these on your server or desktop. If not, download them from your email inbox and extract the archive. To open them, use any plain-text editor such as Notepad. The wizard asks for two files:

  • Certificate: your SSL certificate file with the .crt extension.
  • CA bundle (.ca-bundle): the intermediate and root certificates. If your CA gave you one combined chain file, use that here.

Important: Zimbra needs the full chain, meaning your server certificate plus the intermediate(s) and the root. If the chain is incomplete, some clients will still show trust warnings. Once you’ve uploaded both files, click Next to continue.

Step 3: Complete the installation

Click Install and wait for Zimbra to confirm. You should see a message like this:

Your certificate was installed successfully. You must restart your ZCS server to apply the changes.

Step 4: Restart the server

Switch from root to the zimbra user:

su - zimbra

Restart the Zimbra server:

zmcontrol restart

To return to the root account afterward, type exit (or run sudo su from a regular account). After the restart, you can review the new certificate under Configure then Certificates: click the gear icon in the upper-right corner and select View Certificate to see its status.

Method 2: Install via the command line (recommended)

The CLI is the more reliable option because it prints exact error messages if something goes wrong, and it’s the only option if you generated your CSR off-server.

Step 1: Prepare your files

  • Server certificate (the .crt file from your CA). This guide refers to it as yourdomain.crt.
  • Chain file (commercial_ca.crt). Build this yourself by placing the intermediate certificate(s) first, then the root CA, in that order.
  • Private key (commercial.key). This must live at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR on Zimbra, it’s already there; otherwise copy your key into that path and name it commercial.key.

To build the chain file from your intermediate and root certificates, concatenate them in order (intermediates first, then root):

cat intermediate.crt root.crt > /opt/commercial_ca.crt

Step 2: Verify the certificate

Confirm that your certificate, private key, and chain all match before deploying. Adjust the paths to match where you saved the files:

/opt/zimbra/bin/zmcertmgr verifycrt comm \
/opt/zimbra/ssl/zimbra/commercial/commercial.key \
/opt/yourdomain.crt \
/opt/commercial_ca.crt

If everything matches, each check returns OK. Do not deploy until verification passes; a mismatched key or an incomplete chain is the most common cause of a failed install.

Step 3: Deploy the certificate

Deploy the verified certificate to all Zimbra services:

/opt/zimbra/bin/zmcertmgr deploycrt comm \
/opt/yourdomain.crt \
/opt/commercial_ca.crt

This copies the certificate and chain into Zimbra’s keystores for every service (LDAP, the mailbox/web service, MTA, and the proxy).

Step 4: Restart Zimbra

Switch to the zimbra user:

su - zimbra

Restart the services so they pick up the new certificate:

zmcontrol restart

Once the services are back up, confirm the deployed certificate:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

The output lists the certificate Zimbra is now serving for each service, including its issuer and validity dates. You’ve successfully installed the SSL certificate on Zimbra from the command line.

Test your SSL installation

After installing the certificate, it’s wise to scan your configuration for errors or vulnerabilities so you can catch problems before users do. Our SSL Checker gives you an instant status report on your certificate and chain, so you can confirm the full chain is served and the protocols are configured correctly.

Frequently Asked Questions

Should I install the certificate from the Admin Console or the command line?

Both work. The command line with zmcertmgr is the more reliable choice because it shows the exact error if verification fails, and it’s the only option when you generated your CSR somewhere other than Zimbra. Use the Admin Console wizard only when the matching private key already sits at /opt/zimbra/ssl/zimbra/commercial/commercial.key, which is the case when you created the CSR on the server itself.

Where does the private key go on Zimbra?

The commercial private key must be at /opt/zimbra/ssl/zimbra/commercial/commercial.key. If you generated the CSR on Zimbra, the key is already there. If not, copy your key into that directory and name it commercial.key before running zmcertmgr verifycrt.

What order should the certificates be in the chain file?

The chain file (commercial_ca.crt) lists the intermediate certificate(s) first, then the root CA last. If you have more than one intermediate, place them in order from the one that signed your certificate up toward the root. Getting this order wrong is a common reason zmcertmgr verifycrt fails.

Why does zmcertmgr verifycrt fail?

The two usual causes are a key that doesn’t match the certificate, and an incomplete or wrongly ordered chain file. Confirm the key at /opt/zimbra/ssl/zimbra/commercial/commercial.key is the one generated with your CSR, and that commercial_ca.crt contains the intermediate(s) followed by the root. Always run verifycrt and get a passing result before you run deploycrt.

Do I need to restart Zimbra after installing the certificate?

Yes. After deploying or installing the certificate, switch to the zimbra user and run zmcontrol restart so every service loads the new certificate. You can then confirm the result with /opt/zimbra/bin/zmcertmgr viewdeployedcrt.

How do I view the certificate Zimbra is currently using?

Run /opt/zimbra/bin/zmcertmgr viewdeployedcrt as the zimbra user to list the deployed certificate for each service. In the Admin Console, go to Configure then Certificates, click the gear icon, and select View Certificate. For an external check, scan the server with our SSL Checker.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.