Install a Zimbra certificate

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

In the delivery email you'll find several links. Click on them and download the associated files:
(From the status page of your certificate in your TBS customer area, click on the "View the certificate" button)

• A: your server certificate (.cer or .crt file): name it commercial.crt
• B: the certification chain (.txt file): name it commercial_ca.crt

NOTA : You will need to add the self-signed root certificate to the commercial_ca.crt file

You can download the root from your certificate status page, button See the certificate then following the link See the root certificate.

Save these files in a temporary repertory /tmp/

Under linux, to add the root certificate, you can concatenate the two files:

cat chain-1234567890-123456.txt rootCert-1234567890-123456.cer > commercial_ca.crt

2- Verification of the certificate and the certification chain

Please note : for Zimbra versions lower than 8.7, the "zmcertmgr" checker must be run as root. For all versions greater than 8.7; you have to run with the user "zimbra".

Test with the following command:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt

If you get an error like this:

Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
unable to load certificate
140521322567328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: TRUSTED CERTIFICATE
ERROR: Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.

Or:

Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
             usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
             recognized usages:
             sslclient       SSL client
             sslserver       SSL server
             nssslserver     Netscape SSL server
             smimesign       S/MIME signing
             smimeencrypt    S/MIME encryption
             crlsign         CRL signing
             any             Any Purpose
             ocsphelper      OCSP helper
             timestampsign   Time Stamp signing
             XXXXX ERROR: Invalid Certificate:
        

You must manually create the commercial.crt and commercial_ca.crt files. Go to the status page of your certificate, "View certificate" button. on the pop-up that appears, copy all content:

    -----------BEGIN CERTIFICATE----------
    ...
    ...
    ...
    -----------END CERTIFICATE------------

And paste it in a commercial.crt file that you will place in the / tmp / folder
Regarding the certification chain, always from the status page of your certificate, "View the certificate" button, click on "View the certification chain". As before, copy all of the content in a file called commercial_ca.crt which you will also place in the / tmp folder. Then click on "View root certificate" to copy the content to this same file. In the end your commercial_ca.crt file should look like this:

    subject=........
    issuer=........
    -----------BEGIN CERTIFICATE----------
    ...
    Intermediate certificate 1
    ...
    -----------END CERTIFICATE------------
    
    subject=........
    issuer=........
    -----------BEGIN CERTIFICATE----------
    ...
    Intermediate certificate 2 (if present)
    ...
    -----------END CERTIFICATE------------

    -----------BEGIN CERTIFICATE----------
    ...
    Root certificate
    ...
    -----------END CERTIFICATE------------

Check again. If the tests are good, deploy the certificate with the following command:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt 

Your certificate is now active everywhere. Restart the services to activate the new certificate.

Check your certificate installation with Co-Pibot

On your certificate status page, in your customer area at TBS CERTIFICATES, you will find a "Test the installation" button to test the correct installation of your of your certificate.

Security recommandations

Strong DH groups

• We recommend generating strong, and unique to your server, DH prime groupes to increase its security. So, run the following command line and place its result in a folder accessible by your server:
  

  openssl dhparam -out dhparams.pem 2048

  
  Add the following line to your configuration:
  

  ssl_dhparam /chemin/vers/votre/dhparams.pem;

  You need to add this line to the files /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template.

Cipher configuration

We recommend configuring your server's ciphers to increase its security.

With the Nginx Zimbra Proxy

If you use the Nginx proxy (enabled by default starting with ZCS 8.7), you can parameter your cipher list using the cli tool zmprov. You will then need to restart the service. We recommend the following configuration:

zmprov mcf zimbraReverseProxySSLCiphers '!EDH:!AECDH:!ADH:!DSS:!RC4:ECDSA:HIGH:!3DES:!NULL:!aNULL:!eNULL'

zmproxyctl restart

Without the Nginz Zimbra Proxy

If you do not have the Nginx proxy enabled, you can manually exclude unsafe ciphers using the following commands:

su - zimbra
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
zmmailboxdctl restart

Useful links

• Generate a CSR on Zimbra

• Zimbra documentation
• Zimbra documentation for Comodo certificate
• Cipher management on Zimbra
• Disable SSLv2/SSLv3