If you’re running Zimbra, or planning to, then chances are you will want to use SSL to secure your client connections. The Zimbra wiki has quite a few articles on doing this but they all seem a little over written if all you need to do is create a CSR and sign it (with your own CA or using a paid for service).

So here is my no frills howto make, sign, and deploy:

Always use absolute path names – otherwise you’ll get strange warnings – everything seems to work – but you’ll get strange warnings.

  1. Generate a CSR (as root):
    /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=Country/ST=State/L=City/O=Company/OU=Department/CN=zimbra.domain.name" -subjectAltNames "webmail.domain.name,pop3.domain.name"
    You can leave out subjectAltNames altogether if you don’t need it.
  2. This will create /opt/zimbra/ssl/zimbra/commercial/commericial.csr (and .key) copy the CSR to where your CA needs it.
  3. Sign the CSR. If you’re using your own CA:
    openssl ca -config openssl.cnf -policy policy_anything -out certs/commercial.crt -infiles commercial.csr
  4. Copy signed CRT + CA CRT to:
    • /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    • /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
  5. Install the certificate (as root):
    /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commericial_ca.crt

Now use zmcontrol to stop and restart your Zimbra processes and off you go.

If you receive errors about TLS and ctx when trying to start LDAP then it’s likely your CA didn’t install properly. Follow the instructions in this post and then zmcontrol start. Once up and running try step 5 again.