How to Install a TLS/SSL Certificate on Zimbra

The following instructions will guide you through the SSL Certificate installation process on a Zimbra Mail Server. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure.

What You'll Need

  1. Your server certificate file
    This is the TrustCor certificate you received for your domain.
  2. Your intermediate certificate(s)
    These files allow the devices connecting to your server to identify TrustCor as the issuing CA. There may be more than one of these certificates. If you downloaded the pem-chain file, it will also contain the Intermediate certificate(s) bundled with your domain's certificate.
  3. Your private key
    This file should be on your server, or in your possession if you generated your CSR from a free generator tool.

Installation Instructions

You can install your SSL Certificate in two ways:

A. Zimbra Administration Console – Web Interface
B. Zimbra Certificate Manager – Command Line Interface (CLI)

A. Installing SSL/TLS Certificate using Zimbra Administration Console

  1. Configure
    Open the Zimbra Administration Console. On the main menu, click Configure.
  2. Certificates – Install Certificate
    Select Certificates. Then, click the gear icon on the top right (next to the Help button) and select Install Certificate.
  3. Select the Target Server
    On the Select the Target Server tab, select your server from the Server Name drop-down menu. Then click Next.
  4. Choose the Installation Option
    On the Choose the Installation Option tab, select the option for Install the commercially signed certificate.
  5. Review the Certificate Signing Request
    Go to the last tab, Review the Certificate Signing Request. Verify that all of the CSR information is correct, then click Next.
  6. Upload the Certificate files
    Go back up to the Upload the Certificate tab to import each required file to the server.
    You should have received these files once your certificate was issued. They can also be downloaded from your account of the TrustCor reseller. If you need to download one of TrustCor's Root CA or Intermediate Certificates, you can do so here.
  7. Install the Certificate
    Finally, go to the Install the Certificate tab and click Install.
  8. Restart
    To apply the changes you've just made, you will need to restart the Zimbra services using the Command Line Interface. Enter these commands to switch to Zimbra user:
    sudo su
    su zimbra
    Once the user is switched to the Zimbra user, restart the services using following command:
    zmcontrol restart
    That's it. Your certificate is now successfully installed on your Zimbra server.

B. Installing SSL/TLS Certificate using Zimbra Certificate Manager (Command Line Interface)

The Zimbra package comes with "zmcertmgr" tool for handling SSL Certificates.

For Version 8.6 or lower, this tool must be accessed as root. If you have version 8.7 or later, you should run this tool as a zimbra user. Run the command below to switch from the default user to a zimbra user.

  sudo su
  su zimbra

  1. Download and save the Root CA Certificate to a temporary file
    For example: /tmp/root_ca.crt
    Note: If you need to download one of TrustCor's Root CA Certificates, you can do so here.
  2. Combine root and intermediate CA certificates into a temporary file

    cat /tmp/ca_intermediary.crt /tmp/root_ca.crt > /tmp/ca_chain.crt
  3. Verify your certificate

    /opt/zimbra/bin/zmcertmgr verifycrt comm
  4. Deploy your certificate

    /opt/zimbra/bin/zmcertmgr deploycrt comm
  5. Verify the certificate deployment

    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  6. Restart Zimbra to apply changes

    Enter the following commands to switch to the Zimbra user:
    sudo su
    su zimbra
    Once the default user is switched to the Zimbra user, run the following command to restart the server:
    zmcontrol restart

Your certificate is now installed. You can navigate to your site in a web browser and view the certificate/site information to verify if HTTPS/SSL is working properly.