Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

Install a Zimbra certificate

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")

  • A: your server certificate (.cer or .crt file): name it commercial.crt
  • B: the certification chain (.txt file): name it commercial_ca.crt

Save these files in a temporary repertory /tmp/

NOTA : You will need to add the self-signed root certificate to the commercial_ca.crt file

You can download the root from your certificate status page, button See the certificate then following the link See the root certificate. You can also access the root certificate list.

On linux, to add the root certificate, you can concatenate the two files:

cat chain-1234567890-123456.txt rootCert-1234567890-123456.cer > commercial_ca.crt

2- Run a test

Test with the following command:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt

If the tests are good, deploy the certificate with this command:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt 

Your certificate is now activated everywhere. Relaunch the services to activate the new certificate.

Check your certificate installation with Co-Pibot

On your certificate status page (on your tbs-certificates' center) you'll see a 'Check your certificate' button. Click it to test your certificate installation.

Security recommandations

Strong DH groups

  • We recommend generating strong, and unique to your server, DH prime groupes to increase its security. So, run the following command line and place its result in a folder accessible by your server:
    openssl dhparam -out dhparams.pem 2048

    Add the following line to your configuration:
    ssl_dhparam /chemin/vers/votre/dhparams.pem;
    You need to add this line to the files /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template.

Cipher configuration

We recommend configuring your server's ciphers to increase its security.

With the Nginx Zimbra Proxy

If you use the Nginx proxy (enabled by default starting with ZCS 8.7), you can parameter your cipher list using the cli tool zmprov. You will then need to restart the service. We recommend the following configuration:

zmprov mcf zimbraReverseProxySSLCiphers '!EDH:!AECDH:!ADH:!DSS:!RC4:ECDSA:HIGH:!3DES:!NULL:!aNULL:!eNULL'

zmproxyctl restart

Without the Nginz Zimbra Proxy

If you do not have the Nginx proxy enabled, you can manually exclude unsafe ciphers using the following commands:

su - zimbra
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
zmmailboxdctl restart

Useful links