I'm manually importing a commercial key where the CSR was generated on a different server. I noticed zmcertmgr was throwing an error during the install:
[root@mail certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Regardless of the failure everything seems to be working as intended. I went digging through the LDAP to see what might be causing the failure and I noticed that my zimbraSSLCertificate was correct, but the zimbraSSLPrivateKey was wrong. When I attempted to manually import zimbraSSLPrivateKey I was given the following error:
[zimbra@mail ~]$ zmprov -l ms mail.domain.net zimbraSSLPrivateKey "`cat /tmp/mail.domain.net.09072010.key`"
ERROR: account.INVALID_ATTR_VALUE (zimbraSSLPrivateKey value length(3246) larger then max allowed: 2048)
Since my private key is 4096 bits, it simply will not fit. I think the field size limitation is what was causing the error with zmcertmgr.
How can I increase the size of zimbraSSLPrivateKey to fit my 4096 bit key? Everything seems to be working just fine, so does zimbraSSLPrivateKey even really matter?