By default, Zimbra create and installing Self-Signed Certificate on installation process for https transport protocol. Self-signed certificate used for Apache jetty web server (both Zimbra webmail and Administration console), POP3 SSL, SMTP SSL and IMAP SSL. Self-Signed certificate doesn’t automatically trusted because the certificate was not issued & certify by authorized SSL certificate provider such as Verisign, Cybertrust, Godaddy, RapidSSL, etc.
Below are step-by-step how to install RapidSSL certificate on Zimbra Mail Server
- Open Zimbra Administration Console, go to Tools | Certificate menu and then click on Install Certificate link
- Follow the Certificate creation wizard. On Second wizard windows, choose Generate the CSR for the commercial certificate authorizer options and then click on Next button until final wizard windows. Don’t forget to fill in an appropriate entry to the certificate fields.
![]( "vavai-generating-csr-for-zimbra")
- On final wizard, click on Download the CSR link
- Buy an SSL certificate from RapidSSL and use the downloaded CSR on the above process as required by RapidSSL. RapidSSL will send us the webserver and intermediate certificate
- Create a blank-text file /tmp/zcsserver.crt. Copy-paste all of webserver certificate content from RapidSSL including Begin Certificate and End Certificate line into /tmp/zcsserver.crt.
- Run the following command :
cd /tmp wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer wget https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem cat GeoTrust_Global_CA.cer RapidSSL_CA_bundle.pem > /tmp/ca_bundle.crt cd /opt/zimbra/bin ./zmcertmgr deploycrt comm /tmp/zcsserver.crt /tmp/ca_bundle.crt chmod 644 /opt/zimbra/java/jre/lib/security/cacerts /opt/zimbra/java/bin/keytool -import -alias rapidsslintca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/RapidSSL_CA_bundle.pem su - zimbra zmcontrol restart
changeit on the above line is the default password for Mailbox truststore. If you wish to verify the correct password, check it with the following command :
su - zimbra zmlocalconfig -s | grep mailboxd_truststore_password
- Check your Zimbra Mail Server with https protocol and make sure that certificate was installed sucessfully
Note : If you wish to replace the words Which is run by (unknown) to an appropriate organization name, buy the premium or advanced SSL certificate. Premium or Advanced SSL certificate is more expensive than standard SSL certificate and need a document from your organization to be verified by SSL certificate provider