We usually get the below four files from Sectigo in the certificate bundle. The file name may vary depending on the certificate type
- yourdomain.com.crt – main certificate
- AAACertificateServices.crt – Root Certificate
- USERTrustRSAAAACA.crt – Intermediate Certificate – 1
- SectigoRSADomainValidationSecureServerCA.crt – Intermediate Certificate – 2
Step 1: We shall create two files as below.
commercial_ca.crt (includes root certificate and two intermediate certificates) commercial.crt (includes main certificate, root certificate and two intermediate certificates)
Step 2: Login to Zimbra server, move to directory /opt/zimbra/ssl/zimbra/commercial and create two files as below.
root@mail:~# cd /opt/zimbra/ssl/zimbra/commercial/ root@mail:/opt/zimbra/ssl/zimbra/commercial# touch commercial_ca.crt root@mail:/opt/zimbra/ssl/zimbra/commercial# touch commercial.crt
Step 3: Provide ownership to Zimbra.
root@mail:/opt/zimbra/ssl/zimbra/commercial# chown zimbra:zimbra commercial_ca.crt root@mail:/opt/zimbra/ssl/zimbra/commercial# chown zimbra:zimbra commercial.crt
Step 4: Add the certificates into respective files as mentioned above.
root@mail:/opt/zimbra/ssl/zimbra/commercial# vim commercial_ca.crt
-----BEGIN CERTIFICATE----- <root certificate is here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate certificate 1 is here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate certificate 2 is here> -----END CERTIFICATE-----
root@mail:/opt/zimbra/ssl/zimbra/commercial# vim commercial.crt
-----BEGIN CERTIFICATE----- <main certificate is here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <root certificate is here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate certificate 1 is here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate certificate 2 is here> -----END CERTIFICATE-----
Step 5: Execute below command as Zimbra user to verify the certificate.
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
The output of this command shall look like below.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
We shall not proceed further if we get any error here. We have to resolve the error first and then install the certificate following step 6.
Step 6: Install the certificate.
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
The output should look like below.
** Keeping first certificate in '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK ** Appending ca chain '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.outpacebd.com...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.outpacebd.com...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'a23bec5a.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink 'ee64a828.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '65ff7287.0' -> 'commercial_ca_2.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt ** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_3.crt'
Step 7: Restart Zimbra service to take effect the changes.
zimbra@mail:~$ zmcontrol restart
Hope this helps .
Src: https://learnandgains.blogspot.com/2020/06/install-comodosectigo-domain-validation.html
Hello
I have a problem to deploy my certifcate
Sectigo send me 3 file
crt file
certficat.key
ca.bundle
Read the post carefully. You need those files in order to deploy the SSL.
Excellent article. Thanks for your help.
(y)
Thank you so much, I hate Zimbra and every time I have to do renewals it’s a nightmare.
[root@mail commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
XXXXX ERROR: Invalid Certificate: commercial.crt: C = xx , ST = xxx xxx, O = xxxxx, CN = *.xxxxx
error 20 at 0 depth lookup:unable to get local issuer certificate
Plz check your intermediate certificate