Installing a Comodo SSL on Zimbra using CLI Rumi, April 14, 2019April 14, 2019 1. Get the bundle from Comodo in crt format, or sometimes like a zip file. 2. Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt my_domain_com.crt or since comodo is acquired by Sectigo, the updated zip might appear as below: AddTrustExternalCARoot.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt my_domain_com.crt Note the root and intermediate files may have different names depends of the SSL Certificate, like PositiveSSL, etc. Note 2 all the below commands should be run as zimbra user starting ZCS 8.7 and above, and as a root user in ZCS 8.6 and below. 3. Cat the CA certs to form a single CA certificate chain file cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt or at AddTrustExternalCARoot.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt 4. Place the SSL certificate in /tmp/commercial.crt. cp my_domain_com.crt /tmp/commercial.crt now copy all below files to this path: Key file: /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key Domain Certificate File: /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt CA Certificate File (The chain CA certificate file as created in Step-3): /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt 5. Check that your SSL certificate, your private key and the Intermediate CA are OK, this step is important and you should not continue if you receive an error here: /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK 6. Deploy the commercial certificate with zmcertmgr as the root user. /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK ** Copying /opt/zimbra/ssl/zimbra/commercial/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Appending ca chain /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done. ** NOTE: mailboxd must be restarted in order to use the imported certificate. ** Saving server config key zimbraSSLCertificate...done. ** Saving server config key zimbraSSLPrivateKey...done. ** Installing mta certificate and key...done. ** Installing slapd certificate and key...done. ** Installing proxy certificate and key...done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done. ** Installing CA to /opt/zimbra/conf/ca...done. 7. Restart the Zimbra Services zmcontrol restart Src: https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration Administrations PKI SSLzimbra