Zimbra CSR Creation
Log in as root.
Adjust the following command to match your information: /opt/zimbra/bin/zmcertmgr createcsr comm -new '/C=US/ST=NJ/L=Clifton/O=Company Inc/OU=Department/CN=your.domain.com' Where:
C = 2-digit country code
ST = State/Province
L = City
O = Organization Name
OU = Department (e.g., IT Department)
CN = Common Name (mail.domain.com, *.domain.com)
If you want to include more than one name in the CSR, you can add -subjectAltNames to the end of the command. Example:
/opt/zimbra/bin/zmcertmgr createcsr comm -new '/C=US/ST=NJ/L=Clifton/O=Company Inc/OU=Department/CN=your.domain.com' -subjectAltNames 'www.domain.com, secure.domain.com'
Running this command will output the CSR to the following location: /opt/zimbra/ssl/zimbra/comodo/comodo.csr
You will use the CSR to place the order for the certificate (select “Other” as the server software when placing your order).
Zimbra SSL Installation
Once you have received the .zip containing the certificate files, extract the “certs” folder somewhere on your server.
Take your server certificate (your_domain_name.crt) and copy it to a file called comodo.crt in the following directory: /opt/zimbra/ssl/zimbra/comodo/
With a text editor (such as wordpad or notepad), copy and paste the entire body of each of the following certificates into one text file in the following order:
Make sure to include the beginning and end tags on each certificate. The result should look like this:
(Your First Intermediate certificate: ComodoRSAAddTrustCA.crt)
(Your Second Intermediate certificate (if applicable): ComodoRSADomainValidationSecureServerCA.crt)
(Your Root certificate: AddTrustExternalCARoot.crt)
Save the combined file as CACerts.crt in the following directory: /opt/zimbra/ssl/zimbra/comodo/
Run the following command to validate the certificate chain: /opt/zimbra/openssl/bin/openssl verify -CAfile /opt/zimbra/ssl/zimbra/comodo/CACerts.crt
Once the certificate chain is validated, you can run the following command to enable the new certificate for use: /opt/zimbra/bin/zmcertmgr deploycrt comm
The SSL certificate should now be active.