Installing a Comodo SSL on Zimbra using CLI

1. Get the bundle from Comodo in crt format, or sometimes like a zip file.

2. Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files:



since comodo is acquired by Sectigo, the updated zip might appear as below:


Note the root and intermediate files may have different names depends of the SSL Certificate, like PositiveSSL, etc.

Note 2 all the below commands should be run as zimbra user starting ZCS 8.7 and above, and as a root user in ZCS 8.6 and below.

3. Cat the CA certs to form a single CA certificate chain file
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt


at AddTrustExternalCARoot.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt > /tmp/commercial_ca.crt 

4. Place the SSL certificate in /tmp/commercial.crt.

cp my_domain_com.crt /tmp/commercial.crt

now copy all below files to this path:

Key file:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key

Domain Certificate File:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt

CA Certificate File (The chain CA certificate file as created in Step-3):
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

5. Check that your SSL certificate, your private key and the Intermediate CA are OK, this step is important and you should not continue if you receive an error here:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key 
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

6. Deploy the commercial certificate with zmcertmgr as the root user.

/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt 
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
** Copying /opt/zimbra/ssl/zimbra/commercial/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

7. Restart the Zimbra Services

zmcontrol restart



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.