There's no clear, single source detailing how to do this; amazingly enough. I was frustrated by the unclear documentation at the zimbra and RapidSSL sites. Some of it was outdated, and some as flat-out wrong. The biggest pieces of the puzzle missing are steps 1 and 5, as I've detailed below. I presume you're comfortable with the command line and using the clipboard to transfer text between it and your email client. This focuses on after you've received the OK for a SSL certificate:
- Create your Certificate Signing Request (CSR) for submission to RapidSSL.
- We used something like this:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=US/ST=California/L=San Jose/O=Relaxed Deployment Treats/OU=IT Department/CN=mail.relaxeddeploymenttreats.com"
- For clarity:
- /C = Country, 2 letter code
- /ST = State, full name, include spaces
- /L = Locality Name; we used it for city or town
- /O = Organization or company name
- /OU = Operational Unit, or department taking care of business
- /CN = Common Name, the name of the service needing SSL
- -keysize 2048 is for a 2048-bite sized private key certificate. RapidSSL won't use less. Default is 1024.
- This will create three files at /opt/zimbra/ssl/zimbra/commercial (after archiving what it initially finds there)
- "Commercial.csr" is the file we want for the certificate generation.
- Log into recreate the certificate.
- Follow the steps outlined on the web page. It will send you first a confirmation email that you are authorizing this transaction. After you click that will it actually regenerate/reissue your certificate
- You will receive two files when this back-and-forth is done, the actual certificate
- The "X.509" version of your certificate, as plain text in the email and
- The "Intermediate.crt" as plain text
- NOTE: both text blocks start/end with -----BEGIN CERTIFICATE----- (or replace BEGIN with END) which marks the start/stop portions that you will want to copy. 5 hyphens on both sides!
- Save each to unique locations:
- The actual certificates goes into: /tmp/commercial.crt
- The "intermediate" certificate goes into /tmp/ca_internmediate.crt
- Save the "RapidSSLIntermediateRootBundle.txt" to /tmp/RapidSSLIntermediateRootBundle.crt
- Concatenate the two files:
cat /tmp/RapidSSLIntermedaiteRootBundle.crt /tmp/ca_internmediate.crt > /tmp/ca_chain.crt
- Verify your files now
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
- Presuming all goes well, deploy
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
- Switch to "zimbra" user and restart the monster
zmcontrol stop && sleep 5 && zmcontrol start
- For us, this was the slowest-going step of all of the above, maybe 5 minutes?
- Confirm all is what you expected
exit #to leave the zimbra user account