Install a Sectigo Domain Validation SSL certificate in Zimbra

We usually get the below four files from Sectigo in the certificate bundle. The file name may vary depending on the certificate type

yourdomain.com.crt – main certificate
AAACertificateServices.crt – Root Certificate
USERTrustRSAAAACA.crt – Intermediate Certificate – 1
SectigoRSADomainValidationSecureServerCA.crt – Intermediate Certificate – 2

Step 1: We shall create two files as below.

commercial_ca.crt (includes root certificate and two intermediate certificates)
commercial.crt (includes main certificate, root certificate and two intermediate certificates)

Step 2: Login to Zimbra server, move to directory /opt/zimbra/ssl/zimbra/commercial and create two files as below.

root@mail:~# cd /opt/zimbra/ssl/zimbra/commercial/
root@mail:/opt/zimbra/ssl/zimbra/commercial# touch commercial_ca.crt
root@mail:/opt/zimbra/ssl/zimbra/commercial# touch commercial.crt

Step 3: Provide ownership to Zimbra.

root@mail:/opt/zimbra/ssl/zimbra/commercial# chown zimbra:zimbra commercial_ca.crt
root@mail:/opt/zimbra/ssl/zimbra/commercial# chown zimbra:zimbra commercial.crt

Step 4: Add the certificates into respective files as mentioned above.

root@mail:/opt/zimbra/ssl/zimbra/commercial# vim commercial_ca.crt

root@mail:/opt/zimbra/ssl/zimbra/commercial# vim commercial.crt

Step 5: Execute below command as Zimbra user to verify the certificate.

zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

The output of this command shall look like below.

** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'

Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

We shall not proceed further if we get any error here. We have to resolve the error first and then install the certificate following step 6.

Step 6: Install the certificate.

zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

The output should look like below.

** Keeping first certificate in '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
** Appending ca chain '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.outpacebd.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.outpacebd.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'a23bec5a.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'ee64a828.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '65ff7287.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_3.crt'

Step 7: Restart Zimbra service to take effect the changes.

zimbra@mail:~$ zmcontrol restart

Hope this helps .

Src: https://learnandgains.blogspot.com/2020/06/install-comodosectigo-domain-validation.html

Comments (7)

Rostand Ngue says:

February 25, 2022 at 10:20 pm

Hello
I have a problem to deploy my certifcate
Sectigo send me 3 file
crt file
certficat.key
ca.bundle

1. Rumi says:
  
  March 15, 2022 at 9:19 am
  
  Read the post carefully. You need those files in order to deploy the SSL.
  
John Delaney says:

March 21, 2022 at 11:35 pm

Excellent article. Thanks for your help.

1. Rumi says:
  
  April 1, 2022 at 7:59 pm
  
  (y)
  
Seb says:

August 5, 2022 at 2:37 am

Thank you so much, I hate Zimbra and every time I have to do renewals it’s a nightmare.

alsyundawy says:

April 28, 2023 at 11:12 pm

[root@mail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
XXXXX ERROR: Invalid Certificate: commercial.crt: C = xx , ST = xxx xxx, O = xxxxx, CN = *.xxxxx
error 20 at 0 depth lookup:unable to get local issuer certificate

1. Rumi says:
  
  May 1, 2023 at 7:32 pm
  
  Plz check your intermediate certificate

Comments (7)

Leave a Reply Cancel reply