Installing a RapidSSL commercial SSL certificate on Zimbra 7.2

Fri, 11/16/2012 - 11:24 -- Kyle Skrinak
There's no clear, single source detailing how to do this; amazingly enough. I was frustrated by the unclear documentation at the zimbra and RapidSSL sites. Some of it was outdated, and some as flat-out wrong. The biggest pieces of the puzzle missing are steps 1 and 5, as I've detailed below. I presume you're comfortable with the command line and using the clipboard to transfer text between it and your email client. This focuses on after you've received the OK for a SSL certificate:
  1. Create your Certificate Signing Request (CSR) for submission to RapidSSL.
    • We used something like this:
    • /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=US/ST=California/L=San Jose/O=Relaxed Deployment Treats/OU=IT Department/CN=mail.relaxeddeploymenttreats.com"
    • For clarity:
      • /C = Country, 2 letter code
      • /ST = State, full name, include spaces
      • /L = Locality Name; we used it for city or town
      • /O = Organization or company name
      • /OU = Operational Unit, or department taking care of business
      • /CN = Common Name, the name of the service needing SSL
      • -keysize 2048 is for a 2048-bite sized private key certificate. RapidSSL won't use less. Default is 1024.
    • This will create three files at /opt/zimbra/ssl/zimbra/commercial (after archiving what it initially finds there)
      • commercial.csr
      • commercial.key
      • commercial_ca.crt
    • "Commercial.csr" is the file we want for the certificate generation.
  2. Log into recreate the certificate.
    1. Follow the steps outlined on the web page. It will send you first a confirmation email that you are authorizing this transaction. After you click that will it actually regenerate/reissue your certificate
  3. You will receive two files when this back-and-forth is done, the actual certificate
    1. The "X.509" version of your certificate, as plain text in the email and
    2. The "Intermediate.crt" as plain text
    3. NOTE: both text blocks start/end with -----BEGIN CERTIFICATE----- (or replace BEGIN with END) which marks the start/stop portions that you will want to copy. 5 hyphens on both sides!
  4. Save each to unique locations:
    1. The actual certificates goes into: /tmp/commercial.crt
    2. The "intermediate" certificate goes into /tmp/ca_internmediate.crt
  5. Save the "RapidSSLIntermediateRootBundle.txt" to /tmp/RapidSSLIntermediateRootBundle.crt
  6. Concatenate the two files:
    1. cat /tmp/RapidSSLIntermedaiteRootBundle.crt /tmp/ca_internmediate.crt > /tmp/ca_chain.crt
  7. Verify your files now
    1. /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
  8. Presuming all goes well, deploy
    1. /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
  9. Switch to "zimbra" user and restart the monster
    1. su zimbra
    2. zmcontrol stop && sleep 5 && zmcontrol start
    3. For us, this was the slowest-going step of all of the above, maybe 5 minutes?
  10. Confirm all is what you expected
    1. exit #to leave the zimbra user account
    2. /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Tags: